hotel internet connectivity provider portscans port 6000

• From: Jun-ichiro itojun Hagino
• Date: Tue Sep 03 11:29:15 2002

	inter-touch.com (an internet connectivity provider for hotels in
	australia, it seems) portscans customer device.
	this is way too weird, and the repsonse from them does not make any
	sense.  i'm not sure if it is widely practiced, i really hope not.
	(the most stupid choice of port number!)

itojun

--- Begin Message ---

• Delivery-date: Sun Sep 1 15:54:51 2002

	i'm now staying at Stamford hotel near Sydney airport, and using
	your internet connectivity service.  the first-hop router (61.8.9.254)
	is sending malicious TCP traffic (SYN attempt to port 6000).
	could you let me know (1) if it is intentional or not, and (2) if
	intentional, let me know under what kind of ground you are portscanning
	your customer.
	if you do not respond in 24 hours, i'll make this matter public.

itojun

--- End Message ---

--- Begin Message ---

• Delivery-date: Sun Sep 1 21:05:26 2002

>	i'm now staying at Stamford hotel near Sydney airport, and using
>	your internet connectivity service.  the first-hop router (61.8.9.254)
>	is sending malicious TCP traffic (SYN attempt to port 6000).
>	could you let me know (1) if it is intentional or not, and (2) if
>	intentional, let me know under what kind of ground you are portscanning
>	your customer.
>	if you do not respond in 24 hours, i'll make this matter public.

	evidence.  notice that all of the exchanges follow this pattern:
	- SYN from first-hop router
	- SYN ACK from my device to respond to SYN
	- retransmission of SYN ACK
	- first-hop router's connecting socket goes away
	apparently your device is attempt to portscan, it is not a normal TCP
	connection attempt.

21:01:22.956696 61.8.9.254.2230 > 10.5.0.59.6000: S [tcp sum ok] 3369191721:3369191721(0) win 32120 <mss 1460,sackOK,timestamp 114694089 0,nop,wscale 0> (DF) (ttl 64, id 26579, len 60)
21:01:22.956807 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114694089> (DF) (ttl 64, id 2221, len 60)
21:01:25.950019 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114694089> (DF) (ttl 64, id 2225, len 60)
21:01:31.950019 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694089> (DF) (ttl 64, id 2234, len 60)
21:01:31.950208 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2230 unreachable for 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694089> (DF) (ttl 64, id 2234, len 60) [tos 0xc0]  (ttl 255, id 28827, len 88)

itojun


21:01:10.770027 10.5.0.59.6000 > 61.8.9.254.2165: S [tcp sum ok] 1362306318:1362306318(0) ack 3297062144 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688370> (DF) (ttl 64, id 2193, len 60)
21:01:10.770229 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2165 unreachable for 10.5.0.59.6000 > 61.8.9.254.2165: S [tcp sum ok] 1362306318:1362306318(0) ack 3297062144 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688370> (DF) (ttl 64, id 2193, len 60) [tos 0xc0]  (ttl 255, id 23398, len 88)
21:01:10.840020 10.5.0.59.6000 > 61.8.9.254.2193: S [tcp sum ok] 2305049407:2305049407(0) ack 3319980853 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114690778> (DF) (ttl 64, id 2194, len 60)
21:01:10.840207 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2193 unreachable for 10.5.0.59.6000 > 61.8.9.254.2193: S [tcp sum ok] 2305049407:2305049407(0) ack 3319980853 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114690778> (DF) (ttl 64, id 2194, len 60) [tos 0xc0]  (ttl 255, id 23399, len 88)
21:01:10.880018 10.5.0.59.6000 > 61.8.9.254.2209: S [tcp sum ok] 2791062982:2791062982(0) ack 3364151368 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 17 114691982> (DF) (ttl 64, id 2195, len 60)
21:01:10.880226 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2209 unreachable for 10.5.0.59.6000 > 61.8.9.254.2209: S [tcp sum ok] 2791062982:2791062982(0) ack 3364151368 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 17 114691982> (DF) (ttl 64, id 2195, len 60) [tos 0xc0]  (ttl 255, id 23477, len 88)
21:01:10.900018 10.5.0.59.6000 > 61.8.9.254.2215: S [tcp sum ok] 3022910103:3022910103(0) ack 3355180547 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114692584> (DF) (ttl 64, id 2196, len 60)
21:01:10.917339 61.8.9.254.2218 > 10.5.0.59.6000: S [tcp sum ok] 3363987998:3363987998(0) win 32120 <mss 1460,sackOK,timestamp 114692885 0,nop,wscale 0> (DF) (ttl 64, id 23495, len 60)
21:01:10.917446 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114692885> (DF) (ttl 64, id 2197, len 60)
21:01:13.770056 10.5.0.59.6000 > 61.8.9.254.2170: S [tcp sum ok] 1480638465:1480638465(0) ack 3299682667 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688671> (DF) (ttl 64, id 2202, len 60)
21:01:13.770282 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2170 unreachable for 10.5.0.59.6000 > 61.8.9.254.2170: S [tcp sum ok] 1480638465:1480638465(0) ack 3299682667 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688671> (DF) (ttl 64, id 2202, len 60) [tos 0xc0]  (ttl 255, id 24100, len 88)
21:01:13.850026 10.5.0.59.6000 > 61.8.9.254.2196: S [tcp sum ok] 2425924406:2425924406(0) ack 3322128029 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691079> (DF) (ttl 64, id 2203, len 60)
21:01:13.850215 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2196 unreachable for 10.5.0.59.6000 > 61.8.9.254.2196: S [tcp sum ok] 2425924406:2425924406(0) ack 3322128029 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691079> (DF) (ttl 64, id 2203, len 60) [tos 0xc0]  (ttl 255, id 24101, len 88)
21:01:13.890078 10.5.0.59.6000 > 61.8.9.254.2212: S [tcp sum ok] 2906391716:2906391716(0) ack 3359609674 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692283> (DF) (ttl 64, id 2204, len 60)
21:01:13.890291 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2212 unreachable for 10.5.0.59.6000 > 61.8.9.254.2212: S [tcp sum ok] 2906391716:2906391716(0) ack 3359609674 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692283> (DF) (ttl 64, id 2204, len 60) [tos 0xc0]  (ttl 255, id 24102, len 88)
21:01:13.910018 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114692885> (DF) (ttl 64, id 2205, len 60)
21:01:13.927121 61.8.9.254.2221 > 10.5.0.59.6000: S [tcp sum ok] 3362918362:3362918362(0) win 32120 <mss 1460,sackOK,timestamp 114693186 0,nop,wscale 0> (DF) (ttl 64, id 24174, len 60)
21:01:13.927240 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114693186> (DF) (ttl 64, id 2206, len 60)
21:01:16.780056 10.5.0.59.6000 > 61.8.9.254.2173: S [tcp sum ok] 1601076202:1601076202(0) ack 3309103971 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688972> (DF) (ttl 64, id 2207, len 60)
21:01:16.780276 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2173 unreachable for 10.5.0.59.6000 > 61.8.9.254.2173: S [tcp sum ok] 1601076202:1601076202(0) ack 3309103971 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114688972> (DF) (ttl 64, id 2207, len 60) [tos 0xc0]  (ttl 255, id 24816, len 88)
21:01:16.860026 10.5.0.59.6000 > 61.8.9.254.2200: S [tcp sum ok] 2539605517:2539605517(0) ack 3332561559 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691380> (DF) (ttl 64, id 2208, len 60)
21:01:16.860222 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2200 unreachable for 10.5.0.59.6000 > 61.8.9.254.2200: S [tcp sum ok] 2539605517:2539605517(0) ack 3332561559 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691380> (DF) (ttl 64, id 2208, len 60) [tos 0xc0]  (ttl 255, id 24817, len 88)
21:01:16.900028 10.5.0.59.6000 > 61.8.9.254.2215: S [tcp sum ok] 3022910103:3022910103(0) ack 3355180547 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692584> (DF) (ttl 64, id 2209, len 60)
21:01:16.900220 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2215 unreachable for 10.5.0.59.6000 > 61.8.9.254.2215: S [tcp sum ok] 3022910103:3022910103(0) ack 3355180547 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692584> (DF) (ttl 64, id 2209, len 60) [tos 0xc0]  (ttl 255, id 24818, len 88)
21:01:16.920018 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114693186> (DF) (ttl 64, id 2210, len 60)
21:01:16.937224 61.8.9.254.2224 > 10.5.0.59.6000: S [tcp sum ok] 3376951871:3376951871(0) win 32120 <mss 1460,sackOK,timestamp 114693487 0,nop,wscale 0> (DF) (ttl 64, id 24835, len 60)
21:01:16.937342 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114693487> (DF) (ttl 64, id 2211, len 60)
21:01:19.790045 10.5.0.59.6000 > 61.8.9.254.2176: S [tcp sum ok] 1722475480:1722475480(0) ack 3313628311 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689273> (DF) (ttl 64, id 2212, len 60)
21:01:19.790274 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2176 unreachable for 10.5.0.59.6000 > 61.8.9.254.2176: S [tcp sum ok] 1722475480:1722475480(0) ack 3313628311 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689273> (DF) (ttl 64, id 2212, len 60) [tos 0xc0]  (ttl 255, id 25629, len 88)
21:01:19.870018 10.5.0.59.6000 > 61.8.9.254.2206: S [tcp sum ok] 2666805951:2666805951(0) ack 3357257092 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691681> (DF) (ttl 64, id 2213, len 60)
21:01:19.870251 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2206 unreachable for 10.5.0.59.6000 > 61.8.9.254.2206: S [tcp sum ok] 2666805951:2666805951(0) ack 3357257092 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114691681> (DF) (ttl 64, id 2213, len 60) [tos 0xc0]  (ttl 255, id 25855, len 88)
21:01:19.910020 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692885> (DF) (ttl 64, id 2214, len 60)
21:01:19.910223 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2218 unreachable for 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114692885> (DF) (ttl 64, id 2214, len 60) [tos 0xc0]  (ttl 255, id 25875, len 88)
21:01:19.930020 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114693487> (DF) (ttl 64, id 2215, len 60)
21:01:19.946888 61.8.9.254.2227 > 10.5.0.59.6000: S [tcp sum ok] 3366600089:3366600089(0) win 32120 <mss 1460,sackOK,timestamp 114693788 0,nop,wscale 0> (DF) (ttl 64, id 25915, len 60)
21:01:19.946994 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114693788> (DF) (ttl 64, id 2216, len 60)
21:01:21.774859 arp who-has 10.5.0.59 tell 61.8.9.254
21:01:21.774919 arp reply 10.5.0.59 is-at 0:90:27:96:1c:e1
21:01:22.800059 10.5.0.59.6000 > 61.8.9.254.2181: S [tcp sum ok] 1840397416:1840397416(0) ack 3321389961 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689574> (DF) (ttl 64, id 2217, len 60)
21:01:22.800284 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2181 unreachable for 10.5.0.59.6000 > 61.8.9.254.2181: S [tcp sum ok] 1840397416:1840397416(0) ack 3321389961 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689574> (DF) (ttl 64, id 2217, len 60) [tos 0xc0]  (ttl 255, id 26304, len 88)
21:01:22.880018 10.5.0.59.6000 > 61.8.9.254.2209: S [tcp sum ok] 2791062982:2791062982(0) ack 3364151368 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 41 114691982> (DF) (ttl 64, id 2218, len 60)
21:01:22.880208 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2209 unreachable for 10.5.0.59.6000 > 61.8.9.254.2209: S [tcp sum ok] 2791062982:2791062982(0) ack 3364151368 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 41 114691982> (DF) (ttl 64, id 2218, len 60) [tos 0xc0]  (ttl 255, id 26305, len 88)
21:01:22.920019 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693186> (DF) (ttl 64, id 2219, len 60)
21:01:22.920223 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2221 unreachable for 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693186> (DF) (ttl 64, id 2219, len 60) [tos 0xc0]  (ttl 255, id 26344, len 88)
21:01:22.940018 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114693788> (DF) (ttl 64, id 2220, len 60)
21:01:22.956696 61.8.9.254.2230 > 10.5.0.59.6000: S [tcp sum ok] 3369191721:3369191721(0) win 32120 <mss 1460,sackOK,timestamp 114694089 0,nop,wscale 0> (DF) (ttl 64, id 26579, len 60)
21:01:22.956807 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114694089> (DF) (ttl 64, id 2221, len 60)
21:01:25.820052 10.5.0.59.6000 > 61.8.9.254.2184: S [tcp sum ok] 1958165081:1958165081(0) ack 3313660310 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689875> (DF) (ttl 64, id 2222, len 60)
21:01:25.820276 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2184 unreachable for 10.5.0.59.6000 > 61.8.9.254.2184: S [tcp sum ok] 1958165081:1958165081(0) ack 3313660310 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114689875> (DF) (ttl 64, id 2222, len 60) [tos 0xc0]  (ttl 255, id 27012, len 88)
21:01:25.890020 10.5.0.59.6000 > 61.8.9.254.2212: S [tcp sum ok] 2906391716:2906391716(0) ack 3359609674 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692283> (DF) (ttl 64, id 2223, len 60)
21:01:25.890209 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2212 unreachable for 10.5.0.59.6000 > 61.8.9.254.2212: S [tcp sum ok] 2906391716:2906391716(0) ack 3359609674 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692283> (DF) (ttl 64, id 2223, len 60) [tos 0xc0]  (ttl 255, id 27013, len 88)
21:01:25.930018 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693487> (DF) (ttl 64, id 2224, len 60)
21:01:25.930207 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2224 unreachable for 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693487> (DF) (ttl 64, id 2224, len 60) [tos 0xc0]  (ttl 255, id 27014, len 88)
21:01:25.950019 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114694089> (DF) (ttl 64, id 2225, len 60)
21:01:25.966500 61.8.9.254.2233 > 10.5.0.59.6000: S [tcp sum ok] 3385773414:3385773414(0) win 32120 <mss 1460,sackOK,timestamp 114694390 0,nop,wscale 0> (DF) (ttl 64, id 27031, len 60)
21:01:25.966625 10.5.0.59.6000 > 61.8.9.254.2233: S [tcp sum ok] 3734331068:3734331068(0) ack 3385773415 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114694390> (DF) (ttl 64, id 2226, len 60)
21:01:28.820056 10.5.0.59.6000 > 61.8.9.254.2187: S [tcp sum ok] 2071500136:2071500136(0) ack 3313291004 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690176> (DF) (ttl 64, id 2227, len 60)
21:01:28.820282 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2187 unreachable for 10.5.0.59.6000 > 61.8.9.254.2187: S [tcp sum ok] 2071500136:2071500136(0) ack 3313291004 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690176> (DF) (ttl 64, id 2227, len 60) [tos 0xc0]  (ttl 255, id 28116, len 88)
21:01:28.900062 10.5.0.59.6000 > 61.8.9.254.2215: S [tcp sum ok] 3022910103:3022910103(0) ack 3355180547 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692584> (DF) (ttl 64, id 2228, len 60)
21:01:28.900257 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2215 unreachable for 10.5.0.59.6000 > 61.8.9.254.2215: S [tcp sum ok] 3022910103:3022910103(0) ack 3355180547 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692584> (DF) (ttl 64, id 2228, len 60) [tos 0xc0]  (ttl 255, id 28117, len 88)
21:01:28.940054 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693788> (DF) (ttl 64, id 2229, len 60)
21:01:28.940252 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2227 unreachable for 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114693788> (DF) (ttl 64, id 2229, len 60) [tos 0xc0]  (ttl 255, id 28118, len 88)
21:01:28.960043 10.5.0.59.6000 > 61.8.9.254.2233: S [tcp sum ok] 3734331068:3734331068(0) ack 3385773415 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114694390> (DF) (ttl 64, id 2230, len 60)
21:01:28.976329 61.8.9.254.2238 > 10.5.0.59.6000: S [tcp sum ok] 3391032315:3391032315(0) win 32120 <mss 1460,sackOK,timestamp 114694691 0,nop,wscale 0> (DF) (ttl 64, id 28135, len 60)
21:01:28.976465 10.5.0.59.6000 > 61.8.9.254.2238: S [tcp sum ok] 3852081702:3852081702(0) ack 3391032316 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114694691> (DF) (ttl 64, id 2231, len 60)
21:01:31.830057 10.5.0.59.6000 > 61.8.9.254.2190: S [tcp sum ok] 2185187497:2185187497(0) ack 3316742150 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690477> (DF) (ttl 64, id 2232, len 60)
21:01:31.830275 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2190 unreachable for 10.5.0.59.6000 > 61.8.9.254.2190: S [tcp sum ok] 2185187497:2185187497(0) ack 3316742150 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690477> (DF) (ttl 64, id 2232, len 60) [tos 0xc0]  (ttl 255, id 28779, len 88)
21:01:31.910020 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692885> (DF) (ttl 64, id 2233, len 60)
21:01:31.910229 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2218 unreachable for 10.5.0.59.6000 > 61.8.9.254.2218: S [tcp sum ok] 3142843198:3142843198(0) ack 3363987999 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114692885> (DF) (ttl 64, id 2233, len 60) [tos 0xc0]  (ttl 255, id 28826, len 88)
21:01:31.950019 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694089> (DF) (ttl 64, id 2234, len 60)
21:01:31.950208 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2230 unreachable for 10.5.0.59.6000 > 61.8.9.254.2230: S [tcp sum ok] 3618006200:3618006200(0) ack 3369191722 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694089> (DF) (ttl 64, id 2234, len 60) [tos 0xc0]  (ttl 255, id 28827, len 88)
21:01:31.970018 10.5.0.59.6000 > 61.8.9.254.2238: S [tcp sum ok] 3852081702:3852081702(0) ack 3391032316 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114694691> (DF) (ttl 64, id 2235, len 60)
21:01:31.986121 61.8.9.254.2241 > 10.5.0.59.6000: S [tcp sum ok] 3381168299:3381168299(0) win 32120 <mss 1460,sackOK,timestamp 114694992 0,nop,wscale 0> (DF) (ttl 64, id 28844, len 60)
21:01:31.986237 10.5.0.59.6000 > 61.8.9.254.2241: S [tcp sum ok] 3966969233:3966969233(0) ack 3381168300 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114694992> (DF) (ttl 64, id 2236, len 60)
21:01:34.840053 10.5.0.59.6000 > 61.8.9.254.2193: S [tcp sum ok] 2305049407:2305049407(0) ack 3319980853 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690778> (DF) (ttl 64, id 2237, len 60)
21:01:34.840275 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2193 unreachable for 10.5.0.59.6000 > 61.8.9.254.2193: S [tcp sum ok] 2305049407:2305049407(0) ack 3319980853 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114690778> (DF) (ttl 64, id 2237, len 60) [tos 0xc0]  (ttl 255, id 29483, len 88)
21:01:34.920021 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693186> (DF) (ttl 64, id 2238, len 60)
21:01:34.920231 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2221 unreachable for 10.5.0.59.6000 > 61.8.9.254.2221: S [tcp sum ok] 3264459351:3264459351(0) ack 3362918363 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693186> (DF) (ttl 64, id 2238, len 60) [tos 0xc0]  (ttl 255, id 29528, len 88)
21:01:34.960030 10.5.0.59.6000 > 61.8.9.254.2233: S [tcp sum ok] 3734331068:3734331068(0) ack 3385773415 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694390> (DF) (ttl 64, id 2239, len 60)
21:01:34.960224 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2233 unreachable for 10.5.0.59.6000 > 61.8.9.254.2233: S [tcp sum ok] 3734331068:3734331068(0) ack 3385773415 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694390> (DF) (ttl 64, id 2239, len 60) [tos 0xc0]  (ttl 255, id 29531, len 88)
21:01:34.980018 10.5.0.59.6000 > 61.8.9.254.2241: S [tcp sum ok] 3966969233:3966969233(0) ack 3381168300 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114694992> (DF) (ttl 64, id 2240, len 60)
21:01:34.995970 61.8.9.254.2244 > 10.5.0.59.6000: S [tcp sum ok] 3396864498:3396864498(0) win 32120 <mss 1460,sackOK,timestamp 114695293 0,nop,wscale 0> (DF) (ttl 64, id 29548, len 60)
21:01:34.996084 10.5.0.59.6000 > 61.8.9.254.2244: S [tcp sum ok] 4087725898:4087725898(0) ack 3396864499 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114695293> (DF) (ttl 64, id 2241, len 60)
21:01:37.850054 10.5.0.59.6000 > 61.8.9.254.2196: S [tcp sum ok] 2425924406:2425924406(0) ack 3322128029 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114691079> (DF) (ttl 64, id 2242, len 60)
21:01:37.850265 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2196 unreachable for 10.5.0.59.6000 > 61.8.9.254.2196: S [tcp sum ok] 2425924406:2425924406(0) ack 3322128029 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114691079> (DF) (ttl 64, id 2242, len 60) [tos 0xc0]  (ttl 255, id 30197, len 88)
21:01:37.930025 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693487> (DF) (ttl 64, id 2243, len 60)
21:01:37.930215 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2224 unreachable for 10.5.0.59.6000 > 61.8.9.254.2224: S [tcp sum ok] 3383143250:3383143250(0) ack 3376951872 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693487> (DF) (ttl 64, id 2243, len 60) [tos 0xc0]  (ttl 255, id 30198, len 88)
21:01:37.970021 10.5.0.59.6000 > 61.8.9.254.2238: S [tcp sum ok] 3852081702:3852081702(0) ack 3391032316 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694691> (DF) (ttl 64, id 2244, len 60)
21:01:37.970230 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2238 unreachable for 10.5.0.59.6000 > 61.8.9.254.2238: S [tcp sum ok] 3852081702:3852081702(0) ack 3391032316 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694691> (DF) (ttl 64, id 2244, len 60) [tos 0xc0]  (ttl 255, id 30243, len 88)
21:01:37.990018 10.5.0.59.6000 > 61.8.9.254.2244: S [tcp sum ok] 4087725898:4087725898(0) ack 3396864499 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114695293> (DF) (ttl 64, id 2245, len 60)
21:01:38.005799 61.8.9.254.2247 > 10.5.0.59.6000: S [tcp sum ok] 3390579740:3390579740(0) win 32120 <mss 1460,sackOK,timestamp 114695594 0,nop,wscale 0> (DF) (ttl 64, id 30262, len 60)
21:01:38.005908 10.5.0.59.6000 > 61.8.9.254.2247: S [tcp sum ok] 4204199569:4204199569(0) ack 3390579741 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114695594> (DF) (ttl 64, id 2246, len 60)
21:01:40.860122 10.5.0.59.6000 > 61.8.9.254.2200: S [tcp sum ok] 2539605517:2539605517(0) ack 3332561559 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114691380> (DF) (ttl 64, id 2247, len 60)
21:01:40.860347 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2200 unreachable for 10.5.0.59.6000 > 61.8.9.254.2200: S [tcp sum ok] 2539605517:2539605517(0) ack 3332561559 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 90 114691380> (DF) (ttl 64, id 2247, len 60) [tos 0xc0]  (ttl 255, id 31268, len 88)
21:01:40.940093 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693788> (DF) (ttl 64, id 2248, len 60)
21:01:40.940282 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2227 unreachable for 10.5.0.59.6000 > 61.8.9.254.2227: S [tcp sum ok] 3500317741:3500317741(0) ack 3366600090 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 42 114693788> (DF) (ttl 64, id 2248, len 60) [tos 0xc0]  (ttl 255, id 31269, len 88)
21:01:40.980039 10.5.0.59.6000 > 61.8.9.254.2241: S [tcp sum ok] 3966969233:3966969233(0) ack 3381168300 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694992> (DF) (ttl 64, id 2249, len 60)
21:01:40.980230 61.8.9.254 > 10.5.0.59: icmp: 61.8.9.254 tcp port 2241 unreachable for 10.5.0.59.6000 > 61.8.9.254.2241: S [tcp sum ok] 3966969233:3966969233(0) ack 3381168300 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 18 114694992> (DF) (ttl 64, id 2249, len 60) [tos 0xc0]  (ttl 255, id 31270, len 88)
21:01:41.000021 10.5.0.59.6000 > 61.8.9.254.2247: S [tcp sum ok] 4204199569:4204199569(0) ack 3390579741 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 6 114695594> (DF) (ttl 64, id 2250, len 60)
21:01:41.015601 61.8.9.254.2250 > 10.5.0.59.6000: S [tcp sum ok] 3397108330:3397108330(0) win 32120 <mss 1460,sackOK,timestamp 114695895 0,nop,wscale 0> (DF) (ttl 64, id 31287, len 60)
21:01:41.015711 10.5.0.59.6000 > 61.8.9.254.2250: S [tcp sum ok] 19941014:19941014(0) ack 3397108331 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 114695895> (DF) (ttl 64, id 2251, len 60)

--- End Message ---

--- Begin Message ---

Hi Mr Jun-ichiro itojun Hagino,

The tcp activity that you detected on port 6000 is actually generated by our
server to detect whether the machine is still running.



> ----- Forwarded message from Jun-ichiro itojun Hagino
> <[email protected]> -----
>
> To: [email protected], [email protected],
>         [email protected], [email protected]
> Subject: abusive traffic from inter-touch router
> X-Template-Reply-To: [email protected]
> X-Template-Return-Receipt-To: [email protected]
> X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD  90 5F B4 60 79 54 16 E2
> From: Jun-ichiro itojun Hagino <[email protected]>
> Date: Sun, 01 Sep 2002 15:54:46 +0900
>
> 	i'm now staying at Stamford hotel near Sydney airport, and using
> 	your internet connectivity service.  the first-hop router
> (61.8.9.254)
> 	is sending malicious TCP traffic (SYN attempt to port 6000).
> 	could you let me know (1) if it is intentional or not, and (2) if
> 	intentional, let me know under what kind of ground you are
> portscanning
> 	your customer.
> 	if you do not respond in 24 hours, i'll make this matter public.
>
> itojun
>
> ----- End forwarded message -----

--- End Message ---

--- Begin Message ---

>Hi Mr Jun-ichiro itojun Hagino,
>
>The tcp activity that you detected on port 6000 is actually generated by our
>server to detect whether the machine is still running.

	there are far better ways to achieve that, so i would like to know
	the reasoninig behind your choice.

itojun

--- End Message ---

--- Begin Message ---

>>Hi Mr Jun-ichiro itojun Hagino,
>>
>>The tcp activity that you detected on port 6000 is actually generated by our
>>server to detect whether the machine is still running.
>
>	there are far better ways to achieve that, so i would like to know
>	the reasoninig behind your choice.

	note that tcp port 6000 is used for X11.  any UNIX user will consider
	this traffic malicious.

itojun

--- End Message ---

• Prev by Date: Re: AT&T NYC
• Next by Date: Re: AT&T NYC
• Date Index
• Thread Index
• Author Index
• Historical