Hi there.
For several hours I have been receiving SYN packets from *lots* of hosts.
It doesn't appears to be a *personal* attack, but most probably some new virii/vermii, because:
The hit frequency is not that high: my latencies have gone to the sky, but still inside the atmosphere ;-).
I only get a few requests from each host, and there are thousands of them, from all around the world. Most of the hosts (the ones with reverse DNS, anyway) appear to be over DSL/Cable lines, like:
adsl-65-67-113-211.dsl.rcsntx.swbell.net ben215.neoplus.adsl.tpnet.pl wbar18.dal1-4.29.164.140.dal1.dsl-verizon.net S010600402b65ad2b.vc.shawcable.net DSL01.212.114.236.176.NEFkom.net ...
The hits appear to probe several ports, including 135, 445, 4662, 21338 and 31841. Two of them in /etc/services:
loc-srv 135/tcp epmap # Location Service microsoft-ds 445/tcp # Microsoft Naked CIFS
ÂAnyone experiencing it, or with a idea of what is this?
As I said, so far the only complication is with online games ;-), but nonetheless, the propagation of the "thing" is most impressive.
ÂIs it the Apocalypse Now???? (Redux ;-) )
As you'll see next, my firewall already refuses connections to those ports (with the standard DROP at the end of the iptables chain), but even a few hits a second get my latency really high. Is there a better way to deal with this packets?
Sniffer log extract follows:
Source Destination Protocol Info 1.140.142.132 THIS.IS.MY.HOST TCP 2391 > microsoft-ds [SYN] Seq=0 Ack=0 Win=8760 Len=0 MSS=1460 THIS.IS.MY.HOST 61.140.142.132 ICMP Destination unreachable 80.38.27.138 THIS.IS.MY.HOST TCP 4811 > 21338 [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460 61.145.99.67 THIS.IS.MY.HOST TCP 1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 61.145.99.67 ICMP Destination unreachable 201.135.98.127 THIS.IS.MY.HOST TCP 1983 > loc-srv [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 201.135.98.127 ICMP Destination unreachable 3com_5a:43:3f Cisco_f7:60:38 PPP LCP Echo RequestCisco_f7:60:38 3com_5a:43:3f PPP LCP Echo Reply 212.114.236.176 THIS.IS.MY.HOST TCP 29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0 212.114.236.176 THIS.IS.MY.HOST TCP 29697 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0 68.148.140.208 THIS.IS.MY.HOST TCP 4053 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 THIS.IS.MY.HOST 68.148.140.208 ICMP Destination unreachable 61.145.99.67 THIS.IS.MY.HOST TCP 1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 61.145.99.67 ICMP Destination unreachable 212.114.236.176 THIS.IS.MY.HOST TCP 29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902357 TSER=0 WS=0
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
