Does the synflood have tcp option headers? I am seeing this same activity at our forward observation system, however it's not showing any tcp options like mss,sack,timestamps etc, was curious if others were seeing the same
[root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] == 2)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq 3599006989, win 8192, length 0 13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq 2409909072, win 8192, length 0 13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq 1006681302, win 8192, length 0 13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq 3627295948, win 8192, length 0 13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq 3627295948, win 8192, length 0 13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq 3818041920, win 8192, length 0 13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq 3584410928, win 8192, length 0 On 1 November 2016 at 13:52, Emille Blanc <emi...@abccommunications.com> wrote: > Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take). > > Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at > boundary, 502 unique sources to 10 destination hosts on our AS. > > Obligatory data should this be of use to anyone listening in. > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase > Sent: November-01-16 12:29 PM > To: Oleg A. Arkhangelsky > Cc: nanog@nanog.org > Subject: Re: Syn flood to TCP port 21 from priveleged port (80) > > seeing an awful lot of port 80 hitting port 21. (Why would port 80 > ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts > flickering > on and off as the service throttled itself at a couple client sites I > manage. > > I see 540 unique source IPs hitting 32 destinations on my network in just > 1000 > packets dumped on one router. > > All from multiple sequential registered /24s in whois, but all from one > management company: > > 141.138.128.0/21 and 95.131.184.0/21 > > role: William Hill Network Services > abuse-mailbox: networkservi...@williamhill.co.uk > address: Infrastructure Services 2 City Walk Sweet Street Leeds > LS11 9AR > > AS49061 > > course, synfloods can be spoofed... perhaps they're hoping for a > retaliation > against WHNS. > > /kc > > On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said: > >Hello, > > > >A couple of cuts from tcpdump output: > > > >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], > seq 1376379765, win 8192, length 0 > >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], > seq 2254756684, win 8192, length 0 > >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], > seq 3619475318, win 8192, length 0 > >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq > 2412690982, win 8192, length 0 > > > >Does anyone seeing this right now (18:31 UTC)? I see this traffic > >on at least two completely independent ISPs near Moscow. The > >rate is about a few dozen PPS hitting all BGP-announced networks. > > > >--?? > >wbr, Oleg. > > > >"Anarchy is about taking complete responsibility for yourself." > >?? ?? ?? Alan Moore. > > -- > Ken Chase - m...@sizone.org Guelph Canada > >
