North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: the attack continues..

  • From: Jay Hennigan
  • Date: Sat Oct 18 11:24:35 2008

Beavis wrote:
Hello Lists,

    I'm still getting attacked and most of the IP's i got have been
reported. and just this morning it looks as if someone is testing my
network. and sending out short TCP_SESSION requests. now i may be
paranoid but this past few days have been hell.. just want to know if
the folks from these ip's can help me out.

Attacker IP,Attacker Port,Victim IP,Victim Port,Attack Type,Start
Time,Extra Info,47198,,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 3 Dropped bytes: 156,45379,,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0,42257,,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0,4092,,80,TCP_SESSION,2008-10-18
14:20:48,Filtered IP: Dropped packets: 0 Dropped bytes: 0

First 3 IP's come from AOL, I'll try to see if I can get their attention.

Last IP is from a Wildblue Communications WBC-39.

"Beavis", you're running a web server on, some sort of gambling site. Those who operate web servers generally expect traffic to TCP port 80. If you're not aware that you have a web server running, then it is most likely your machine that is infected with a bot.

Jay Hennigan - CCIE #7880 - Network Engineering - [email protected]
Impulse Internet Service  -
Your local telephone and internet company - 805 884-6323 - WB6RDV