Security Incidents mailing list archives

Re: client's TCP port 256 hammered by several hosts

From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 7 Nov 2003 14:52:30 -0800 (PST)

Gerry,

Maybe I don't understand your situation as presented,
but wouldn't it make prudent sense to simply visit the
other systems and determine what processes are sending
out the packets in question?


--- gerry <gerry () tituspcservice com> wrote:



suddenly, one of our lan client (win2k novell
client) machine's tpc port 256 is being flooded with
packets from other lan pcs and our netware (5.1)
server.
anyone have an idea what would cause this or, better
yet, how to eliminate all the excess traffic.

11/04-08:31:14.843754 192.168.x.x:2056 ->
192.168.x.x:256
TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


11/04-08:31:14.843779 192.168.x.x:256 ->
192.168.x.x:2056
TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x1E6E9153  Win: 0x0 
TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


11/04-08:31:15.344013 192.168.x.x:2056 ->
192.168.x.x:256
TCP TTL:128 TOS:0x0 ID:11146 IpLen:20 DgmLen:48 DF
******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000 
TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


thanks in advance,
g

---------------------------------------------------------------------------

Network with over 10,000 of the brightest minds in
information security
at the largest, most highly-anticipated industry
event of the year.
Don't miss RSA Conference 2004! Choose from over 200
class sessions and
see demos from more than 250 industry vendors. If
your job touches
security, you need to be here. Learn more or
register at

http://www.securityfocus.com/sponsor/RSA_incidents_031023

and use priority code SF4.

----------------------------------------------------------------------------



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

client's TCP port 256 hammered by several hosts gerry (Nov 07)
- RE: client's TCP port 256 hammered by several hosts Jim Butterworth (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Harlan Carvey (Nov 10)
- Re: client's TCP port 256 hammered by several hosts Chris Brenton (Nov 10)