-
August 17th, 2003, 10:28 PM
#1
Junior Member
am i being nuked or what?
Frame 219 (74 bytes on wire, 74 bytes captured)
Arrival Time: Aug 18, 2003 00:04:38.372710000
Time delta from previous packet: 0.692336000 seconds
Time relative to first packet: 182.879577000 seconds
Frame Number: 219
Packet Length: 74 bytes
Capture Length: 74 bytes
Ethernet II, Src: 00:09:12:86:80:70, Dst: 00:10:4b:9a:12:c6
Destination: 00:10:4b:9a:12:c6 (3Com_9a:12:c6)
Source: 00:09:12:86:80:70 (Cisco_86:80:70)
Type: IP (0x0800)
Internet Protocol, Src Addr: dizzo (205.232.XXX.XXX), Dst Addr: ip80-81-XXX-XXX.kotivayla.net (80.81.XXX.XXX)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x8563
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 49
Protocol: TCP (0x06)
Header checksum: 0xaa80 (correct)
Source: dizzo (205.232.XXX.XXX)
Destination: ip80-81-XXX-XXX.kotivayla.net (80.81.XXX.XXX)
Transmission Control Protocol, Src Port: 55615 (55615), Dst Port: 6881 (6881), Seq: 0, Ack: 0, Len: 0
Source port: 55615 (55615)
Destination port: 6881 (6881)
Sequence number: 0
Header length: 40 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 32768
Checksum: 0xb06c (correct)
Options: (20 bytes)
Maximum segment size: 1380 bytes
NOP
Window scale: 0 (multiply by 1)
NOP
NOP
Time stamp: tsval 3570602575, tsecr 0
above capture is just one of how many god knows? apparently they are identical, only source port changes between packets in range 40000-65000.
1,[17/Aug/2003 18:15:59] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:02] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:05] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:08] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:11] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:11] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:14] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:14] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:17] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:20] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54373]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:26] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
1,[17/Aug/2003 18:16:32] Rule 'Packet to unopened port received': Blocked: In TCP, dizzo [205.232.XXX.XXX:54466]->localhost:6881, Owner: no owner
above is only a small sample of firewall log.
seems weird since this has been going on since last friday and originates from usa. i have already notified the company to which the ip belongs about this issue.
id just like to know for sure of whats going on.
-
August 17th, 2003, 10:43 PM
#2
Port 6881 is Bit Torrent - Are you using this.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
August 17th, 2003, 10:50 PM
#3
Junior Member
nope.
only net accessing programs ive used lately are opera, mirc, miranda and eudora.
-
August 17th, 2003, 10:57 PM
#4
I've not been able to find anything useful about 6881 on google so I'll hand this over to more knowledgeable members around here.
Alsorts of possibilities spring to mind - but you've done the right thing - complained to the ISP
Drop the IP form the firewall & forget about it.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
August 17th, 2003, 11:14 PM
#5
Andersen, it looks like you're not alone:
http://forums.zonelabs.com/zonelabs/...essage.id=1546
May be helpful to keep tabs on this forum. Sorry I cant provide any real help; i cant find anything on google useful enough either.
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
Hit it!
-
August 17th, 2003, 11:16 PM
#6
Junior Member
does it make any difference since i use kerio pf instead of za?
-
August 17th, 2003, 11:22 PM
#7
No.
I think showtime was just that someone else has a similiar problem.
Can you use visual route or someother program to trace the IP?
-
August 18th, 2003, 03:40 AM
#8
From what i can see from your 1st capture and fact that you are receiving many numerous similiar traces, someone is attempting to SYN flood your PC (DoS attack).
Someone is attempting to open "1/2"tcp session numerous times to you.
It is a 1/2 because the perpetrator is not completing the 3 way handshake.
What a TCP/IP stack would usually do is respond to the SYN bit with an ACK and wait for x minutes depenting on TCP/IP stack before it rejects the connection. However if you do not hear back from you acknowledgement, your TCP/IP stack will allocated memory and process cycles for that session for x minutes before it releases the session,,YOUr PC will do this for every TCP session thus and crash because of allocated resources..
The perpertrator can change the source address to a non routable address so the victim never gets a respond back for the x minutes thus hogging up his resources..
I hope I wasnt too vague with my explanations...very exhausted and tired pulling all nighters...
P.S.
If port 6881 is not open on your PC then you have nothing to worry about...
Your PC will drop the 1st SYN packet....
-
August 18th, 2003, 09:37 AM
#9
Junior Member
id like to thank you for help.
i asked few people to do port scan on my pc, and they all said that the target host was down.
guess i dont have anything to worry about.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|