subject:"Syn flood to TCP port 21 from priveleged port \(80\)"

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-02 Thread Theodore Baschak

This might be a little late on this thread, however I just saw the
following news item on twitter which seemed pertinent to this story:
http://www.theregister.co.uk/2016/11/02/william_hill_ddos/
I guess they're a bookie who's under DDoS?


Theodore Baschak - AS395089 - Hextet Systems
https://ciscodude.net/ - https://hextet.systems/
http://mbix.ca/


On Wed, Nov 2, 2016 at 3:46 AM, Christian Kildau  wrote:

> There is some nice research regarding systems "abusable" for reflection by
> tcp port and the amplification factor depending on the OS:
> http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf
>
> And in more detail:
> https://www.usenix.org/system/files/conference/
> usenixsecurity14/sec14-paper-
> kuhrer.pdf
>
> Best regards,
> Chris
>
> On Tue, Nov 1, 2016 at 11:21 PM, Ken Chase  wrote:
>
> > what's the density of open port 21s on the planet though? trying to
> > estimate
> > the traffic resulting against the two target /21s.
> >
> > Your dump only has 2 ip's in it though, on your /19 so not
> representative.
> >
> > My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This
> > would give
> > 128M ftp responders across the whole /0 (modulo actual space in use, etc,
> > so call it 32M responders?). (It's also a short timespan for a dump as
> > well.)
> > Syn-ack seems to be a 58 byte packet (?ish).
> >
> > 32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps
> >
> > even if im off by 4 in density of ftp sites on the internet despite my
> > already
> > reducing it by 4, we're talking ~100+ Gbps.
> >
> > /kc
> >
> >
> > On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
> >   >Yeah it is an odd ball attack for sure, here is a 5000 packet sample
> of
> >   >what I was seeing in connection to this attack
> >   >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for
> > ftp
> >   >port as I am not seeing it on many other subnets, which is why I am
> >   >thinking someone did a pre-scan before conducting this wacky attack,
> >   >otherwise, I would have likely seen other port 21's seeing activity,
> > but so
> >   >far any IP that didn't have 21 as an actual service isn't seeing the
> syn
> >   >packets. This could be unique to my location, others observing this
> > attack
> >   >may be able to chime in and report what they are seeing if they seen
> 80
> > src
> >   >syn to port 21 where 21 isn't an actual ftp running. Yeah this is
> pretty
> >   >easy to filter.
> >   >
> >   >On 1 November 2016 at 13:48, Ken Chase  wrote:
> >   >
> >   >> Not sure why reflected RSTs are the goal here, they're not much of
> an
> >   >> amplification
> >   >> to the original syn size. Additionally causing a mild dos of my
> > clients'
> >   >> stuff
> >   >> when it begins throttling # of connections, ie noticeable. (not
> that i
> >   >> want to
> >   >> help scriptkids improve their attacks...). Im guessing port 80 was
> > chosen
> >   >> for improved
> >   >> fw piercing.
> >   >>
> >   >> Sure is widespread though, 5 clients on very different networks all
> > seeing
> >   >> similar
> >   >> saturation. Someone has a nice complete prescanned list of open ftps
> > for
> >   >> the
> >   >> entire internet out there (or are they just saturating the whole
> /0?)
> >   >>
> >   >> Easy to filter though:
> >   >>
> >   >> tcp and src port 80 and src net '(141.138.128.0/21 or
> 95.131.184.0/21
> > )'
> >   >> and dst port 21
> >   >>
> >   >> Adapt for your fw rules of choice.
> >   >>
> >   >> /kc
> >   >>
> >   >>
> >   >> On Tue, Nov 01, 2016 at 07:39:40PM +, Van Dyk, Donovan said:
> >   >>   >I think Ken has nailed it. I think the source addresses are
> > spoofed so
> >   >> you reflect the connection (tcp syn ack) to those source addresses.
> > Get
> >   >> enough of those connections and the server is dead.
> >   >>   >
> >   >>   >Since your port 21 is open
> >   >>   >
> >   >>   >telnet 109.72.248.114 21
> >   >>   >Trying 109.72.248.114...
> >   >>   >Connected to 109.72.248.114.
> >   >>   >Escape character is '^]'.
> >   >>   >
> >   >>   >Your address was probably scanned and saw it could be used in the
> >   >> attack.
> >   >>   >
> >   >>   >Regards
> >   >>   >--
> >   >>   >Donovan Van Dyk
> >   >>   >
> >   >>   >SOC Network Engineer
> >   >>   >
> >   >>   >Office: +1.954.620.6002 x911
> >   >>   >
> >   >>   >Fort Lauderdale, FL USA
> >   >>   >
> >   >>   >
> >   >>   >
> >   >>   >
> >   >>   >The information contained in this electronic mail transmission
> and
> > its
> >   >> attachments may be privileged and confidential and protected from
> >   >> disclosure. If the reader of this message is not the intended
> > recipient (or
> >   >> an individual responsible for delivery of the message to such
> > person), you
> >   >> are strictly prohibited from copying, disseminating or distributing
> > this
> >   >> communication. If you have received this communication in error,
> > please
> >   >> notify

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-02 Thread Christian Kildau

There is some nice research regarding systems "abusable" for reflection by
tcp port and the amplification factor depending on the OS:
http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf

And in more detail:
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-
kuhrer.pdf

Best regards,
Chris

On Tue, Nov 1, 2016 at 11:21 PM, Ken Chase  wrote:

> what's the density of open port 21s on the planet though? trying to
> estimate
> the traffic resulting against the two target /21s.
>
> Your dump only has 2 ip's in it though, on your /19 so not representative.
>
> My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This
> would give
> 128M ftp responders across the whole /0 (modulo actual space in use, etc,
> so call it 32M responders?). (It's also a short timespan for a dump as
> well.)
> Syn-ack seems to be a 58 byte packet (?ish).
>
> 32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps
>
> even if im off by 4 in density of ftp sites on the internet despite my
> already
> reducing it by 4, we're talking ~100+ Gbps.
>
> /kc
>
>
> On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
>   >Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
>   >what I was seeing in connection to this attack
>   >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for
> ftp
>   >port as I am not seeing it on many other subnets, which is why I am
>   >thinking someone did a pre-scan before conducting this wacky attack,
>   >otherwise, I would have likely seen other port 21's seeing activity,
> but so
>   >far any IP that didn't have 21 as an actual service isn't seeing the syn
>   >packets. This could be unique to my location, others observing this
> attack
>   >may be able to chime in and report what they are seeing if they seen 80
> src
>   >syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
>   >easy to filter.
>   >
>   >On 1 November 2016 at 13:48, Ken Chase  wrote:
>   >
>   >> Not sure why reflected RSTs are the goal here, they're not much of an
>   >> amplification
>   >> to the original syn size. Additionally causing a mild dos of my
> clients'
>   >> stuff
>   >> when it begins throttling # of connections, ie noticeable. (not that i
>   >> want to
>   >> help scriptkids improve their attacks...). Im guessing port 80 was
> chosen
>   >> for improved
>   >> fw piercing.
>   >>
>   >> Sure is widespread though, 5 clients on very different networks all
> seeing
>   >> similar
>   >> saturation. Someone has a nice complete prescanned list of open ftps
> for
>   >> the
>   >> entire internet out there (or are they just saturating the whole /0?)
>   >>
>   >> Easy to filter though:
>   >>
>   >> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21
> )'
>   >> and dst port 21
>   >>
>   >> Adapt for your fw rules of choice.
>   >>
>   >> /kc
>   >>
>   >>
>   >> On Tue, Nov 01, 2016 at 07:39:40PM +, Van Dyk, Donovan said:
>   >>   >I think Ken has nailed it. I think the source addresses are
> spoofed so
>   >> you reflect the connection (tcp syn ack) to those source addresses.
> Get
>   >> enough of those connections and the server is dead.
>   >>   >
>   >>   >Since your port 21 is open
>   >>   >
>   >>   >telnet 109.72.248.114 21
>   >>   >Trying 109.72.248.114...
>   >>   >Connected to 109.72.248.114.
>   >>   >Escape character is '^]'.
>   >>   >
>   >>   >Your address was probably scanned and saw it could be used in the
>   >> attack.
>   >>   >
>   >>   >Regards
>   >>   >--
>   >>   >Donovan Van Dyk
>   >>   >
>   >>   >SOC Network Engineer
>   >>   >
>   >>   >Office: +1.954.620.6002 x911
>   >>   >
>   >>   >Fort Lauderdale, FL USA
>   >>   >
>   >>   >
>   >>   >
>   >>   >
>   >>   >The information contained in this electronic mail transmission and
> its
>   >> attachments may be privileged and confidential and protected from
>   >> disclosure. If the reader of this message is not the intended
> recipient (or
>   >> an individual responsible for delivery of the message to such
> person), you
>   >> are strictly prohibited from copying, disseminating or distributing
> this
>   >> communication. If you have received this communication in error,
> please
>   >> notify the sender immediately and destroy all electronic, paper or
> other
>   >> versions.
>   >>   >
>   >>   >
>   >>   >On 11/1/16, 3:29 PM, "Ken Chase"  wrote:
>   >>   >
>   >>   >seeing an awful lot of port 80 hitting port 21. (Why would
> port 80
>   >>   >ever be used as source?). Also saw a buncha cpanel "FAILED:
> FTP"
>   >> alerts flickering
>   >>   >on and off as the service throttled itself at a couple client
> sites
>   >> I manage.
>   >>   >
>   >>   >I see 540 unique source IPs hitting 32 destinations on my
> network
>   >> in just 1000
>   >>   >packets dumped on one router.
>   >>   >
>   >>   >All from multiple sequential registered

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase

what's the density of open port 21s on the planet though? trying to estimate
the traffic resulting against the two target /21s. 

Your dump only has 2 ip's in it though, on your /19 so not representative.

My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would 
give
128M ftp responders across the whole /0 (modulo actual space in use, etc,
so call it 32M responders?). (It's also a short timespan for a dump as well.)
Syn-ack seems to be a 58 byte packet (?ish).

32 * 10^6 * 500/14 * 58*8 / 10^9 = 530 Gbps

even if im off by 4 in density of ftp sites on the internet despite my already
reducing it by 4, we're talking ~100+ Gbps.

/kc


On Tue, Nov 01, 2016 at 03:59:49PM -0600, Selphie Keller said:
  >Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
  >what I was seeing in connection to this attack
  >https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
  >port as I am not seeing it on many other subnets, which is why I am
  >thinking someone did a pre-scan before conducting this wacky attack,
  >otherwise, I would have likely seen other port 21's seeing activity, but so
  >far any IP that didn't have 21 as an actual service isn't seeing the syn
  >packets. This could be unique to my location, others observing this attack
  >may be able to chime in and report what they are seeing if they seen 80 src
  >syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
  >easy to filter.
  >
  >On 1 November 2016 at 13:48, Ken Chase  wrote:
  >
  >> Not sure why reflected RSTs are the goal here, they're not much of an
  >> amplification
  >> to the original syn size. Additionally causing a mild dos of my clients'
  >> stuff
  >> when it begins throttling # of connections, ie noticeable. (not that i
  >> want to
  >> help scriptkids improve their attacks...). Im guessing port 80 was chosen
  >> for improved
  >> fw piercing.
  >>
  >> Sure is widespread though, 5 clients on very different networks all seeing
  >> similar
  >> saturation. Someone has a nice complete prescanned list of open ftps for
  >> the
  >> entire internet out there (or are they just saturating the whole /0?)
  >>
  >> Easy to filter though:
  >>
  >> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21)'
  >> and dst port 21
  >>
  >> Adapt for your fw rules of choice.
  >>
  >> /kc
  >>
  >>
  >> On Tue, Nov 01, 2016 at 07:39:40PM +, Van Dyk, Donovan said:
  >>   >I think Ken has nailed it. I think the source addresses are spoofed so
  >> you reflect the connection (tcp syn ack) to those source addresses. Get
  >> enough of those connections and the server is dead.
  >>   >
  >>   >Since your port 21 is open
  >>   >
  >>   >telnet 109.72.248.114 21
  >>   >Trying 109.72.248.114...
  >>   >Connected to 109.72.248.114.
  >>   >Escape character is '^]'.
  >>   >
  >>   >Your address was probably scanned and saw it could be used in the
  >> attack.
  >>   >
  >>   >Regards
  >>   >--
  >>   >Donovan Van Dyk
  >>   >
  >>   >SOC Network Engineer
  >>   >
  >>   >Office: +1.954.620.6002 x911
  >>   >
  >>   >Fort Lauderdale, FL USA
  >>   >
  >>   >
  >>   >
  >>   >
  >>   >The information contained in this electronic mail transmission and its
  >> attachments may be privileged and confidential and protected from
  >> disclosure. If the reader of this message is not the intended recipient (or
  >> an individual responsible for delivery of the message to such person), you
  >> are strictly prohibited from copying, disseminating or distributing this
  >> communication. If you have received this communication in error, please
  >> notify the sender immediately and destroy all electronic, paper or other
  >> versions.
  >>   >
  >>   >
  >>   >On 11/1/16, 3:29 PM, "Ken Chase"  wrote:
  >>   >
  >>   >seeing an awful lot of port 80 hitting port 21. (Why would port 80
  >>   >ever be used as source?). Also saw a buncha cpanel "FAILED: FTP"
  >> alerts flickering
  >>   >on and off as the service throttled itself at a couple client sites
  >> I manage.
  >>   >
  >>   >I see 540 unique source IPs hitting 32 destinations on my network
  >> in just 1000
  >>   >packets dumped on one router.
  >>   >
  >>   >All from multiple sequential registered /24s in whois, but all from
  >> one
  >>   >management company:
  >>   >
  >>   >141.138.128.0/21 and 95.131.184.0/21
  >>   >
  >>   >role:   William Hill Network Services
  >>   >abuse-mailbox:  networkservi...@williamhill.co.uk
  >>   >address:Infrastructure Services 2 City Walk Sweet Street
  >> Leeds LS11 9AR
  >>   >
  >>   >AS49061
  >>   >
  >>   >course, synfloods can be spoofed... perhaps they're hoping for a
  >> retaliation
  >>   >against WHNS.
  >>   >
  >>   >/kc
  >>   >
  >>   >On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >>   >  >Hello,
  >>   >  >
  >>

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller

Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
what I was seeing in connection to this attack
https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
port as I am not seeing it on many other subnets, which is why I am
thinking someone did a pre-scan before conducting this wacky attack,
otherwise, I would have likely seen other port 21's seeing activity, but so
far any IP that didn't have 21 as an actual service isn't seeing the syn
packets. This could be unique to my location, others observing this attack
may be able to chime in and report what they are seeing if they seen 80 src
syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
easy to filter.

On 1 November 2016 at 13:48, Ken Chase  wrote:

> Not sure why reflected RSTs are the goal here, they're not much of an
> amplification
> to the original syn size. Additionally causing a mild dos of my clients'
> stuff
> when it begins throttling # of connections, ie noticeable. (not that i
> want to
> help scriptkids improve their attacks...). Im guessing port 80 was chosen
> for improved
> fw piercing.
>
> Sure is widespread though, 5 clients on very different networks all seeing
> similar
> saturation. Someone has a nice complete prescanned list of open ftps for
> the
> entire internet out there (or are they just saturating the whole /0?)
>
> Easy to filter though:
>
> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21)'
> and dst port 21
>
> Adapt for your fw rules of choice.
>
> /kc
>
>
> On Tue, Nov 01, 2016 at 07:39:40PM +, Van Dyk, Donovan said:
>   >I think Ken has nailed it. I think the source addresses are spoofed so
> you reflect the connection (tcp syn ack) to those source addresses. Get
> enough of those connections and the server is dead.
>   >
>   >Since your port 21 is open
>   >
>   >telnet 109.72.248.114 21
>   >Trying 109.72.248.114...
>   >Connected to 109.72.248.114.
>   >Escape character is '^]'.
>   >
>   >Your address was probably scanned and saw it could be used in the
> attack.
>   >
>   >Regards
>   >--
>   >Donovan Van Dyk
>   >
>   >SOC Network Engineer
>   >
>   >Office: +1.954.620.6002 x911
>   >
>   >Fort Lauderdale, FL USA
>   >
>   >
>   >
>   >
>   >The information contained in this electronic mail transmission and its
> attachments may be privileged and confidential and protected from
> disclosure. If the reader of this message is not the intended recipient (or
> an individual responsible for delivery of the message to such person), you
> are strictly prohibited from copying, disseminating or distributing this
> communication. If you have received this communication in error, please
> notify the sender immediately and destroy all electronic, paper or other
> versions.
>   >
>   >
>   >On 11/1/16, 3:29 PM, "Ken Chase"  wrote:
>   >
>   >seeing an awful lot of port 80 hitting port 21. (Why would port 80
>   >ever be used as source?). Also saw a buncha cpanel "FAILED: FTP"
> alerts flickering
>   >on and off as the service throttled itself at a couple client sites
> I manage.
>   >
>   >I see 540 unique source IPs hitting 32 destinations on my network
> in just 1000
>   >packets dumped on one router.
>   >
>   >All from multiple sequential registered /24s in whois, but all from
> one
>   >management company:
>   >
>   >141.138.128.0/21 and 95.131.184.0/21
>   >
>   >role:   William Hill Network Services
>   >abuse-mailbox:  networkservi...@williamhill.co.uk
>   >address:Infrastructure Services 2 City Walk Sweet Street
> Leeds LS11 9AR
>   >
>   >AS49061
>   >
>   >course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
>   >against WHNS.
>   >
>   >/kc
>   >
>   >On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>   >  >Hello,
>   >  >
>   >  >A couple of cuts from tcpdump output:
>   >  >
>   >  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags
> [S], seq 1376379765, win 8192, length 0
>   >  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags
> [S], seq 2254756684, win 8192, length 0
>   >  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags
> [S], seq 3619475318, win 8192, length 0
>   >  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags
> [S], seq 2412690982, win 8192, length 0
>   >  >
>   >  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
>   >  >on at least two completely independent ISPs near Moscow. The
>   >  >rate is about a few dozen PPS hitting all BGP-announced networks.
>   >  >
>   >  >--??
>   >  >wbr, Oleg.
>   >  >
>   >  >"Anarchy is about taking complete responsibility for yourself."
>   >  >?? ?? ?? Alan Moore.
>   >
> --
> Ken Chase - m...@sizone.org Guelph Canada
>
>

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Van Dyk, Donovan

I think Ken has nailed it. I think the source addresses are spoofed so you 
reflect the connection (tcp syn ack) to those source addresses. Get enough of 
those connections and the server is dead. 

Since your port 21 is open

telnet 109.72.248.114 21
Trying 109.72.248.114...
Connected to 109.72.248.114.
Escape character is '^]'.

Your address was probably scanned and saw it could be used in the attack.

Regards
--
Donovan Van Dyk

SOC Network Engineer

Office: +1.954.620.6002 x911

Fort Lauderdale, FL USA

The information contained in this electronic mail transmission and its 
attachments may be privileged and confidential and protected from disclosure. 
If the reader of this message is not the intended recipient (or an individual 
responsible for delivery of the message to such person), you are strictly 
prohibited from copying, disseminating or distributing this communication. If 
you have received this communication in error, please notify the sender 
immediately and destroy all electronic, paper or other versions.

On 11/1/16, 3:29 PM, "Ken Chase"  wrote:

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts 
flickering
on and off as the service throttled itself at a couple client sites I 
manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 
1000
packets dumped on one router. 

All from multiple sequential registered /24s in whois, but all from one
management company:

141.138.128.0/21 and 95.131.184.0/21

role:   William Hill Network Services
abuse-mailbox:  networkservi...@williamhill.co.uk
address:Infrastructure Services 2 City Walk Sweet Street Leeds LS11 
9AR

AS49061

course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.

/kc

On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >Hello,
  >
  >A couple of cuts from tcpdump output:
  >
  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], 
seq 1376379765, win 8192, length 0
  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 
2254756684, win 8192, length 0
  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 
3619475318, win 8192, length 0
  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 
2412690982, win 8192, length 0
  >
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >
  >--??
  >wbr, Oleg.
  >
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller

yeah it looks like the person behind the flood may have scanned for active
ftp servers, not seeing any activity on other observation subnets of this
flood, and so far the only servers showing this port 80 to port 21 is ones
that do have actual ftp servers, however, the connection is not actually
establishing it's only showing SYN incoming and a SYN-ACK outgoing and
never gets a completed 3way handshake, so it could be a very odd reflected
syn-ack flood against possible web servers origin ip addresses.

On 1 November 2016 at 14:28, Emille Blanc <emi...@abccommunications.com>
wrote:

> > Does the synflood have tcp option headers?
>
>
>
> Not seeing any here. From this morning.
>
>
>
> 12:45:46.180665 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
> 1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
>
> 12:45:46.180667 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok]
> 1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
>
> 12:45:46.284617 141.138.128.137.80 > 216.57.182.18.21: S [tcp sum ok]
> 2595766696:2595766696(0) win 8192 (DF) (ttl 69, id 6478, len 40)
>
>
>
> *From:* Selphie Keller [mailto:selphie.kel...@gmail.com]
> *Sent:* November-01-16 1:13 PM
> *To:* Emille Blanc
> *Cc:* Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org
>
> *Subject:* Re: Syn flood to TCP port 21 from priveleged port (80)
>
>
>
> Does the synflood have tcp option headers?
>
>
>
> I am seeing this same activity at our forward observation system, however
> it's not showing any tcp options like mss,sack,timestamps etc, was curious
> if others were seeing the same
>
>
>
> [root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] ==
> 2)'
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>
>
>
> 13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq
> 3599006989, win 8192, length 0
>
> 13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq
> 2409909072, win 8192, length 0
>
> 13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq
> 1006681302, win 8192, length 0
>
> 13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
> 3627295948, win 8192, length 0
>
> 13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
> 3627295948, win 8192, length 0
>
> 13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq
> 3818041920, win 8192, length 0
>
> 13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq
> 3584410928, win 8192, length 0
>
>
>
>
>
>
>
>
>
> On 1 November 2016 at 13:52, Emille Blanc <emi...@abccommunications.com>
> wrote:
>
> Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).
>
> Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at
> boundary, 502 unique sources to 10 destination hosts on our AS.
>
> Obligatory data should this be of use to anyone listening in.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: November-01-16 12:29 PM
> To: Oleg A. Arkhangelsky
> Cc: nanog@nanog.org
> Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
>
> seeing an awful lot of port 80 hitting port 21. (Why would port 80
> ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
> flickering
> on and off as the service throttled itself at a couple client sites I
> manage.
>
> I see 540 unique source IPs hitting 32 destinations on my network in just
> 1000
> packets dumped on one router.
>
> All from multiple sequential registered /24s in whois, but all from one
> management company:
>
> 141.138.128.0/21 and 95.131.184.0/21
>
> role:   William Hill Network Services
> abuse-mailbox:  networkservi...@williamhill.co.uk
> address:Infrastructure Services 2 City Walk Sweet Street Leeds
> LS11 9AR
>
> AS49061
>
> course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
> against WHNS.
>
> /kc
>
> On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>   >Hello,
>   >
>   >A couple of cuts from tcpdump output:
>   >
>   >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S],
> seq 1376379765, win 8192, length 0
>   >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S],
> seq 2254756684, win 8192, length 0
>   >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S],
> seq 3619475318, w

RE: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Emille Blanc

> Does the synflood have tcp option headers?

Not seeing any here. From this morning.

12:45:46.180665 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok] 
1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
12:45:46.180667 194.73.173.17.80 > 216.57.181.189.21: S [tcp sum ok] 
1158156467:1158156467(0) win 8192 (DF) (ttl 60, id 18499, len 40)
12:45:46.284617 141.138.128.137.80 > 216.57.182.18.21: S [tcp sum ok] 
2595766696:2595766696(0) win 8192 (DF) (ttl 69, id 6478, len 40)

From: Selphie Keller [mailto:selphie.kel...@gmail.com]
Sent: November-01-16 1:13 PM
To: Emille Blanc
Cc: Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)

Does the synflood have tcp option headers?

I am seeing this same activity at our forward observation system, however it's 
not showing any tcp options like mss,sack,timestamps etc, was curious if others 
were seeing the same

[root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] == 2)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq 
3599006989, win 8192, length 0
13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq 
2409909072, win 8192, length 0
13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq 
1006681302, win 8192, length 0
13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq 
3627295948, win 8192, length 0
13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq 
3627295948, win 8192, length 0
13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq 
3818041920, win 8192, length 0
13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq 
3584410928, win 8192, length 0




On 1 November 2016 at 13:52, Emille Blanc 
<emi...@abccommunications.com<mailto:emi...@abccommunications.com>> wrote:
Ditto. Same sources; 141.138.128.0/21<http://141.138.128.0/21> and 
95.131.184.0/21<http://95.131.184.0/21> (give or take).

Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at boundary, 502 
unique sources to 10 destination hosts on our AS.

Obligatory data should this be of use to anyone listening in.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org<mailto:nanog-boun...@nanog.org>] On 
Behalf Of Ken Chase
Sent: November-01-16 12:29 PM
To: Oleg A. Arkhangelsky
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts 
flickering
on and off as the service throttled itself at a couple client sites I manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router.

All from multiple sequential registered /24s in whois, but all from one
management company:

141.138.128.0/21<http://141.138.128.0/21> and 
95.131.184.0/21<http://95.131.184.0/21>

role:   William Hill Network Services
abuse-mailbox:  
networkservi...@williamhill.co.uk<mailto:networkservi...@williamhill.co.uk>
address:Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR

AS49061

course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.

/kc

On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >Hello,
  >
  >A couple of cuts from tcpdump output:
  >
  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 
1376379765, win 8192, length 0
  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 
2254756684, win 8192, length 0
  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 
3619475318, win 8192, length 0
  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 
2412690982, win 8192, length 0
  >
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >
  >--??
  >wbr, Oleg.
  >
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

--
Ken Chase - m...@sizone.org<mailto:m...@sizone.org> Guelph Canada

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller

Does the synflood have tcp option headers?

I am seeing this same activity at our forward observation system, however
it's not showing any tcp options like mss,sack,timestamps etc, was curious
if others were seeing the same

[root@oakridge-intercept(~)]> tcpdump -nn -i eth0 'tcp and (tcp[13] == 2)'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

13:09:32.772506 IP 95.131.190.214.80 > 67.220.207.169.21: Flags [S], seq
3599006989, win 8192, length 0
13:09:32.809446 IP 95.131.185.150.80 > 67.220.207.169.21: Flags [S], seq
2409909072, win 8192, length 0
13:09:33.306737 IP 141.138.133.161.80 > 67.220.207.169.21: Flags [S], seq
1006681302, win 8192, length 0
13:09:33.946427 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
3627295948, win 8192, length 0
13:09:33.946469 IP 141.138.134.193.80 > 67.220.207.170.21: Flags [S], seq
3627295948, win 8192, length 0
13:09:34.263905 IP 194.73.173.103.80 > 67.220.207.170.21: Flags [S], seq
3818041920, win 8192, length 0
13:09:34.415558 IP 194.73.173.243.80 > 67.220.207.169.21: Flags [S], seq
3584410928, win 8192, length 0




On 1 November 2016 at 13:52, Emille Blanc <emi...@abccommunications.com>
wrote:

> Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).
>
> Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at
> boundary, 502 unique sources to 10 destination hosts on our AS.
>
> Obligatory data should this be of use to anyone listening in.
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
> Sent: November-01-16 12:29 PM
> To: Oleg A. Arkhangelsky
> Cc: nanog@nanog.org
> Subject: Re: Syn flood to TCP port 21 from priveleged port (80)
>
> seeing an awful lot of port 80 hitting port 21. (Why would port 80
> ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts
> flickering
> on and off as the service throttled itself at a couple client sites I
> manage.
>
> I see 540 unique source IPs hitting 32 destinations on my network in just
> 1000
> packets dumped on one router.
>
> All from multiple sequential registered /24s in whois, but all from one
> management company:
>
> 141.138.128.0/21 and 95.131.184.0/21
>
> role:   William Hill Network Services
> abuse-mailbox:  networkservi...@williamhill.co.uk
> address:Infrastructure Services 2 City Walk Sweet Street Leeds
> LS11 9AR
>
> AS49061
>
> course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
> against WHNS.
>
> /kc
>
> On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>   >Hello,
>   >
>   >A couple of cuts from tcpdump output:
>   >
>   >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S],
> seq 1376379765, win 8192, length 0
>   >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S],
> seq 2254756684, win 8192, length 0
>   >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S],
> seq 3619475318, win 8192, length 0
>   >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq
> 2412690982, win 8192, length 0
>   >
>   >Does anyone seeing this right now (18:31 UTC)? I see this traffic
>   >on at least two completely independent ISPs near Moscow. The
>   >rate is about a few dozen PPS hitting all BGP-announced networks.
>   >
>   >--??
>   >wbr, Oleg.
>   >
>   >"Anarchy is about taking complete responsibility for yourself."
>   >?? ?? ?? Alan Moore.
>
> --
> Ken Chase - m...@sizone.org Guelph Canada
>
>

RE: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Emille Blanc

Ditto. Same sources; 141.138.128.0/21 and 95.131.184.0/21 (give or take).

Out of 1000 packet sample taken at 12:45:46 PDT (19:45:46 UTC) at boundary, 502 
unique sources to 10 destination hosts on our AS.

Obligatory data should this be of use to anyone listening in.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase
Sent: November-01-16 12:29 PM
To: Oleg A. Arkhangelsky
Cc: nanog@nanog.org
Subject: Re: Syn flood to TCP port 21 from priveleged port (80)

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts 
flickering
on and off as the service throttled itself at a couple client sites I manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router. 

All from multiple sequential registered /24s in whois, but all from one
management company:

141.138.128.0/21 and 95.131.184.0/21

role:   William Hill Network Services
abuse-mailbox:  networkservi...@williamhill.co.uk
address:Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR

AS49061

course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.

/kc

On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >Hello,
  >
  >A couple of cuts from tcpdump output:
  >
  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 
1376379765, win 8192, length 0
  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 
2254756684, win 8192, length 0
  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 
3619475318, win 8192, length 0
  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 
2412690982, win 8192, length 0
  >
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >
  >--??
  >wbr, Oleg.
  >
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase

Not sure why reflected RSTs are the goal here, they're not much of an 
amplification
to the original syn size. Additionally causing a mild dos of my clients' stuff
when it begins throttling # of connections, ie noticeable. (not that i want to
help scriptkids improve their attacks...). Im guessing port 80 was chosen for 
improved
fw piercing.

Sure is widespread though, 5 clients on very different networks all seeing 
similar
saturation. Someone has a nice complete prescanned list of open ftps for the
entire internet out there (or are they just saturating the whole /0?)

Easy to filter though:

tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21)' and dst 
port 21

Adapt for your fw rules of choice.

/kc


On Tue, Nov 01, 2016 at 07:39:40PM +, Van Dyk, Donovan said:
  >I think Ken has nailed it. I think the source addresses are spoofed so you 
reflect the connection (tcp syn ack) to those source addresses. Get enough of 
those connections and the server is dead. 
  >
  >Since your port 21 is open
  >
  >telnet 109.72.248.114 21
  >Trying 109.72.248.114...
  >Connected to 109.72.248.114.
  >Escape character is '^]'.
  >
  >Your address was probably scanned and saw it could be used in the attack.
  >
  >Regards
  >--
  >Donovan Van Dyk
  >
  >SOC Network Engineer
  >
  >Office: +1.954.620.6002 x911
  >
  >Fort Lauderdale, FL USA
  >
  >
  >
  >
  >The information contained in this electronic mail transmission and its 
attachments may be privileged and confidential and protected from disclosure. 
If the reader of this message is not the intended recipient (or an individual 
responsible for delivery of the message to such person), you are strictly 
prohibited from copying, disseminating or distributing this communication. If 
you have received this communication in error, please notify the sender 
immediately and destroy all electronic, paper or other versions.
  > 
  >
  >On 11/1/16, 3:29 PM, "Ken Chase"  wrote:
  >
  >seeing an awful lot of port 80 hitting port 21. (Why would port 80
  >ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts 
flickering
  >on and off as the service throttled itself at a couple client sites I 
manage.
  >
  >I see 540 unique source IPs hitting 32 destinations on my network in 
just 1000
  >packets dumped on one router. 
  >
  >All from multiple sequential registered /24s in whois, but all from one
  >management company:
  >
  >141.138.128.0/21 and 95.131.184.0/21
  >
  >role:   William Hill Network Services
  >abuse-mailbox:  networkservi...@williamhill.co.uk
  >address:Infrastructure Services 2 City Walk Sweet Street Leeds 
LS11 9AR
  >
  >AS49061
  >
  >course, synfloods can be spoofed... perhaps they're hoping for a 
retaliation
  >against WHNS.
  >
  >/kc
  >
  >On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >  >Hello,
  >  >
  >  >A couple of cuts from tcpdump output:
  >  >
  >  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], 
seq 1376379765, win 8192, length 0
  >  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], 
seq 2254756684, win 8192, length 0
  >  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], 
seq 3619475318, win 8192, length 0
  >  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], 
seq 2412690982, win 8192, length 0
  >  >
  >  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >  >on at least two completely independent ISPs near Moscow. The
  >  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >  >
  >  >--??
  >  >wbr, Oleg.
  >  >
  >  >"Anarchy is about taking complete responsibility for yourself."
  >  >?? ?? ?? Alan Moore.
  >
-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts 
flickering
on and off as the service throttled itself at a couple client sites I manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router. 

All from multiple sequential registered /24s in whois, but all from one
management company:

141.138.128.0/21 and 95.131.184.0/21

role:   William Hill Network Services
abuse-mailbox:  networkservi...@williamhill.co.uk
address:Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR

AS49061

course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.

/kc

On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >Hello,
  >
  >A couple of cuts from tcpdump output:
  >
  >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 
1376379765, win 8192, length 0
  >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 
2254756684, win 8192, length 0
  >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 
3619475318, win 8192, length 0
  >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 
2412690982, win 8192, length 0
  >
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >
  >--??
  >wbr, Oleg.
  >
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Oleg A . Arkhangelsky



01.11.2016, 22:06, "Eric Tykwinski" :
> Oleg,
>
> I'm seeing the same to a single client here source IPs seem to be matching up 
> as well.
> I attached a pcap, just so you can compare.
>

And the same sources:

141.138.128.0 - 141.138.135.255
194.73.173.0 - 194.73.173.127
95.131.184.0 - 95.131.191.255

Massive DDoS against William Hill Organization Ltd?

-- 
wbr, Oleg.

"Anarchy is about taking complete responsibility for yourself."
  Alan Moore.

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Oleg A . Arkhangelsky

Hello,

A couple of cuts from tcpdump output:

21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 
1376379765, win 8192, length 0
21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 
2254756684, win 8192, length 0
21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags [S], seq 
3619475318, win 8192, length 0
21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags [S], seq 
2412690982, win 8192, length 0

Does anyone seeing this right now (18:31 UTC)? I see this traffic
on at least two completely independent ISPs near Moscow. The
rate is about a few dozen PPS hitting all BGP-announced networks.

-- 
wbr, Oleg.

"Anarchy is about taking complete responsibility for yourself."
      Alan Moore.

Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Oleg A . Arkhangelsky

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

RE: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

RE: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Re: Syn flood to TCP port 21 from priveleged port (80)

Syn flood to TCP port 21 from priveleged port (80)

14 matches

Site Navigation

Mail list logo

Footer information