Results 1 to 9 of 9

Thread: am i being nuked or what?

  1. #1
    Junior Member
    Join Date
    Jan 2003
    Posts
    9

    Question am i being nuked or what?

    Frame 219 (74 bytes on wire, 74 bytes captured)
    Arrival Time: Aug 18, 2003 00:04:38.372710000
    Time delta from previous packet: 0.692336000 seconds
    Time relative to first packet: 182.879577000 seconds
    Frame Number: 219
    Packet Length: 74 bytes
    Capture Length: 74 bytes
    Ethernet II, Src: 00:09:12:86:80:70, Dst: 00:10:4b:9a:12:c6
    Destination: 00:10:4b:9a:12:c6 (3Com_9a:12:c6)
    Source: 00:09:12:86:80:70 (Cisco_86:80:70)
    Type: IP (0x0800)
    Internet Protocol, Src Addr: dizzo (205.232.XXX.XXX), Dst Addr: ip80-81-XXX-XXX.kotivayla.net (80.81.XXX.XXX)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0x8563
    Flags: 0x04
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 49
    Protocol: TCP (0x06)
    Header checksum: 0xaa80 (correct)
    Source: dizzo (205.232.XXX.XXX)
    Destination: ip80-81-XXX-XXX.kotivayla.net (80.81.XXX.XXX)
    Transmission Control Protocol, Src Port: 55615 (55615), Dst Port: 6881 (6881), Seq: 0, Ack: 0, Len: 0
    Source port: 55615 (55615)
    Destination port: 6881 (6881)
    Sequence number: 0
    Header length: 40 bytes
    Flags: 0x0002 (SYN)
    0... .... = Congestion Window Reduced (CWR): Not set
    .0.. .... = ECN-Echo: Not set
    ..0. .... = Urgent: Not set
    ...0 .... = Acknowledgment: Not set
    .... 0... = Push: Not set
    .... .0.. = Reset: Not set
    .... ..1. = Syn: Set
    .... ...0 = Fin: Not set
    Window size: 32768
    Checksum: 0xb06c (correct)
    Options: (20 bytes)
    Maximum segment size: 1380 bytes
    NOP
    Window scale: 0 (multiply by 1)
    NOP
    NOP
    Time stamp: tsval 3570602575, tsecr 0
    above capture is just one of how many god knows? apparently they are identical, only source port changes between packets in range 40000-65000.

    1,[17/Aug/2003 18:15:59] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:02] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:05] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:08] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:11] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:11] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:14] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:14] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:17] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:20] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:26] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
    1,[17/Aug/2003 18:16:32] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
    above is only a small sample of firewall log.

    seems weird since this has been going on since last friday and originates from usa. i have already notified the company to which the ip belongs about this issue.

    id just like to know for sure of whats going on.

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Port 6881 is Bit Torrent - Are you using this.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Junior Member
    Join Date
    Jan 2003
    Posts
    9
    nope.

    only net accessing programs ive used lately are opera, mirc, miranda and eudora.

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I've not been able to find anything useful about 6881 on google so I'll hand this over to more knowledgeable members around here.

    Alsorts of possibilities spring to mind - but you've done the right thing - complained to the ISP

    Drop the IP form the firewall & forget about it.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    239
    Andersen, it looks like you're not alone:
    http://forums.zonelabs.com/zonelabs/...essage.id=1546

    May be helpful to keep tabs on this forum. Sorry I cant provide any real help; i cant find anything on google useful enough either.
    It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.

    Hit it!

  6. #6
    Junior Member
    Join Date
    Jan 2003
    Posts
    9
    does it make any difference since i use kerio pf instead of za?

  7. #7
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    No.

    I think showtime was just that someone else has a similiar problem.

    Can you use visual route or someother program to trace the IP?
    =

  8. #8
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    From what i can see from your 1st capture and fact that you are receiving many numerous similiar traces, someone is attempting to SYN flood your PC (DoS attack).

    Someone is attempting to open "1/2"tcp session numerous times to you.
    It is a 1/2 because the perpetrator is not completing the 3 way handshake.

    What a TCP/IP stack would usually do is respond to the SYN bit with an ACK and wait for x minutes depenting on TCP/IP stack before it rejects the connection. However if you do not hear back from you acknowledgement, your TCP/IP stack will allocated memory and process cycles for that session for x minutes before it releases the session,,YOUr PC will do this for every TCP session thus and crash because of allocated resources..

    The perpertrator can change the source address to a non routable address so the victim never gets a respond back for the x minutes thus hogging up his resources..

    I hope I wasnt too vague with my explanations...very exhausted and tired pulling all nighters...

    P.S.
    If port 6881 is not open on your PC then you have nothing to worry about...
    Your PC will drop the 1st SYN packet....

  9. #9
    Junior Member
    Join Date
    Jan 2003
    Posts
    9
    id like to thank you for help.

    i asked few people to do port scan on my pc, and they all said that the target host was down.

    guess i dont have anything to worry about.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •