[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301241206.25599.danielf@supportteam.net>
From: danielf at supportteam.net (Daniel F. Chief Security Engineer -)
Subject: dDoS tool
Has anyone seen a dDoS tool that spoofs packets with the following sig.
17:31:00.586927 146.201.0.0.1525 > x.x.x.x.53: S 863830016:863830016(0) win
16384
17:31:00.587631 159.16.0.0.1881 > x.x.x.x.53: S 1406468096:1406468096(0) win
16384
17:31:00.588101 146.202.0.0.1487 > x.x.x.x.53: S 1303183360:1303183360(0) win
16384
17:31:00.588453 153.52.0.0.1713 > x.x.x.x.53: S 584646656:584646656(0) win
16384
17:31:00.588687 125.80.0.0.1719 > x.x.x.x.53: S 1109524480:1109524480(0) win
16384
17:31:00.588806 19.84.0.0.1098 > x.x.x.x.53: S 984547328:984547328(0) win
16384
17:31:00.589039 184.36.0.0.1410 > x.x.x.x.53: S 537985024:537985024(0) win
16384
17:31:00.589157 158.247.0.0.1446 > x.x.x.x.53: S 1401094144:1401094144(0) win
16384
All the ips that were attacking us ended in 0.0, which we all know those IPs
should not be sending packets to the internet to begin with. We were seeing
this for every IP 0.0.0.0 - 255.255.0.0 coming inbound.
Thanks for anyhelp.
--
Daniel Fairchild - Chief Security Engineer | danielf@...portteam.net
Powered by blists - more mailing lists