Missing source port.
Russell Fulton
r.fulton at auckland.ac.nz
Wed May 9 18:40:31 EDT 2001
2001-05-09-21:27:35 s tcp 202.96.142.46 -> 130.216.6.106 111 2 0 0 0 S
2001-05-09-22:21:15 s tcp 202.96.142.46 -> 130.216.135.27 111 3 0 0 0 SR
2001-05-09-22:47:52 s tcp 202.96.142.46 -> 130.216.198.155 111 3 0 0 0 SR
2001-05-09-22:56:50 s tcp 202.96.142.46 -> 130.216.220.1 111 3 0 0 0 SR
Any idea why these records have no source port? (this is tab delimited
output from ra).
Here is raxml for one record:
<Flow> <IP SrcIPAddr = "202.96.142.46" DstIPAddr =
"130.216.135.27" Proto = "tcp" Dport = "111" IpId =
"0x0" /> </Flow>
<FlowAttrs SrcTTL = "236" DstTTL = "0" SrcTOS = "0x0"
DstTOS = "0x0" />
<ExtFlow> <TCPExtFlow TCPState = "SYN|RST|SRTN" TCPOptions =
"MAX" SynAckuSecs = "0" AckDatauSecs = "0" >
<TCPExtMetrics SrcTCPSeqBase = "4101873286"
SrcTCPAckBytes = "0" SrcTCPBytes = "0"
SrcTCPRetrans = "1" SrcTCPWin = "8760"
SrcTCPFlags = "SR" DstTCPSeqBase = "0"
DstTCPAckBytes = "0" DstTCPBytes = "0"
DstTCPRetrans = "0" DstTCPWin = "0"
DstTCPFlags = "" />
</TCPExtFlow>
</ExtFlow>
<Metrics SrcCount = "3" DstCount = "0" SrcBytes = "192"
DstBytes = "0" SrcAppBytes = "0" DstAppBytes = "0" />
</Far>
This traffic is part of a new type of scan I have been seeing for the
last few days. It probed many thousands of addresses but only these
four had missing source ports. One other factor that may be relevant
is that the network where this data was collected is an
extreamly saturated 10MB link -- DMZ upgrade to 100Mbps in two week (if
the hubs don't mealt before that).
I'm guessing that it is the solaris sadmin worm looking for new homes
(when it isnt beating up our IIS servers).
Cheers, Russell.
More information about the argus
mailing list