[Snort-users] not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning?

Richard Bejtlich taosecurity at ...11827...
Fri May 25 21:46:54 EDT 2007


Michael Scheidell wrote:

> Any idea what they are doing? Trying to portscan? Looking for some
> vulnerability with 'dest port' 0?

> 05/25-09:22:49 TCP 121.35.241.129:8000 -->  xxx.xxx.xxx.xxx :0
> [1:524:8] BAD-TRAFFIC tcp port 0 traffic
> [Classification: Misc activity] [Priority: 3]
>
>
> #(2 - 738314) [2007-05-25 07:43:37] [snort/524] BAD-TRAFFIC tcp port 0
> traffic IPv4: 121.35.241.129 -> xxx.xxx.xxx.xxx
> hlen=5 TOS=0 dlen=40 ID=51608 flags=0 offset=0 TTL=238 chksum=35950
> TCP: port=80 -> dport: 0 flags=***A*R** seq=0
> ack=759384068 off=5 res=0 win=0 urp=0 chksum=50032 Payload: none

Michael,

It's "backscatter."  An unknown third party is spoofing
xxx.xxx.xxx.xxx and SYN flooding port 80 TCP on 121.35.241.129.
121.35.241.129 is the real victim.

2000 paper:

http://www.taosecurity.com/nid_3pe_v101.pdf

1999 paper:

http://www.taosecurity.com/intv2-8.html

There's nothing to worry about.

Sincerely,

Richard




More information about the Snort-users mailing list