スレッド表示 | 新しいものから | 前のトピック | 次のトピック | 下へ |
投稿者 | スレッド |
---|---|
webadm | 投稿日時: 2006-7-6 5:09 |
Webmaster 登録日: 2004-11-7 居住地: 投稿: 3107 |
NECのgatewayからのSYN flood attack 夕方にサーバーが塞がっているようなので一旦httpサービスを呈しして外部からのアクセスの様子を観測してみた。
特に目立った攻撃の形跡は無いので再度サービスを立ち上げなおうそうとした時に初めて目にする異常なログが目の前に現れた。 19:42:59.825004 TYO112.gate.nec.co.jp.40202 > KURO-BOX.www: S 188792975:188792975(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:42:59.825087 KURO-BOX.www > TYO112.gate.nec.co.jp.40202: R 0:0(0) ack 188792976 win 0 (DF) 19:42:59.866815 TYO112.gate.nec.co.jp.40219 > KURO-BOX.www: S 192167111:192167111(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:42:59.866898 KURO-BOX.www > TYO112.gate.nec.co.jp.40219: R 0:0(0) ack 192167112 win 0 (DF) 19:42:59.920977 TYO112.gate.nec.co.jp.40235 > KURO-BOX.www: S 195879130:195879130(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:42:59.921063 KURO-BOX.www > TYO112.gate.nec.co.jp.40235: R 0:0(0) ack 195879131 win 0 (DF) 19:42:59.956819 TYO112.gate.nec.co.jp.40248 > KURO-BOX.www: S 198401517:198401517(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:42:59.956893 KURO-BOX.www > TYO112.gate.nec.co.jp.40248: R 0:0(0) ack 198401518 win 0 (DF) 19:42:59.998622 TYO112.gate.nec.co.jp.40262 > KURO-BOX.www: S 200906485:200906485(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:42:59.998705 KURO-BOX.www > TYO112.gate.nec.co.jp.40262: R 0:0(0) ack 200906486 win 0 (DF) 19:43:00.165489 TYO112.gate.nec.co.jp.40318 > KURO-BOX.www: S 211361193:211361193(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.165569 KURO-BOX.www > TYO112.gate.nec.co.jp.40318: R 0:0(0) ack 211361194 win 0 (DF) 19:43:00.213390 TYO112.gate.nec.co.jp.40334 > KURO-BOX.www: S 213367596:213367596(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.213473 KURO-BOX.www > TYO112.gate.nec.co.jp.40334: R 0:0(0) ack 213367597 win 0 (DF) 19:43:00.248946 TYO112.gate.nec.co.jp.40344 > KURO-BOX.www: S 214040740:214040740(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.249029 KURO-BOX.www > TYO112.gate.nec.co.jp.40344: R 0:0(0) ack 214040741 win 0 (DF) 19:43:00.296657 TYO112.gate.nec.co.jp.40355 > KURO-BOX.www: S 214726495:214726495(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.296740 KURO-BOX.www > TYO112.gate.nec.co.jp.40355: R 0:0(0) ack 214726496 win 0 (DF) 19:43:00.323430 TYO112.gate.nec.co.jp.40356 > KURO-BOX.www: S 214762510:214762510(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.323514 KURO-BOX.www > TYO112.gate.nec.co.jp.40356: R 0:0(0) ack 214762511 win 0 (DF) 19:43:00.347241 TYO112.gate.nec.co.jp.40357 > KURO-BOX.www: S 214848922:214848922(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.347313 KURO-BOX.www > TYO112.gate.nec.co.jp.40357: R 0:0(0) ack 214848923 win 0 (DF) 19:43:00.371111 TYO112.gate.nec.co.jp.40358 > KURO-BOX.www: S 214904922:214904922(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.371194 KURO-BOX.www > TYO112.gate.nec.co.jp.40358: R 0:0(0) ack 214904923 win 0 (DF) 19:43:00.392002 TYO112.gate.nec.co.jp.40359 > KURO-BOX.www: S 215000531:215000531(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.392086 KURO-BOX.www > TYO112.gate.nec.co.jp.40359: R 0:0(0) ack 215000532 win 0 (DF) 19:43:00.412861 TYO112.gate.nec.co.jp.40360 > KURO-BOX.www: S 215032407:215032407(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.412945 KURO-BOX.www > TYO112.gate.nec.co.jp.40360: R 0:0(0) ack 215032408 win 0 (DF) 19:43:00.433709 TYO112.gate.nec.co.jp.40361 > KURO-BOX.www: S 215087113:215087113(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.433793 KURO-BOX.www > TYO112.gate.nec.co.jp.40361: R 0:0(0) ack 215087114 win 0 (DF) 19:43:00.454575 TYO112.gate.nec.co.jp.40362 > KURO-BOX.www: S 215315797:215315797(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.454659 KURO-BOX.www > TYO112.gate.nec.co.jp.40362: R 0:0(0) ack 215315798 win 0 (DF) 19:43:00.475452 TYO112.gate.nec.co.jp.40363 > KURO-BOX.www: S 215372389:215372389(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.475525 KURO-BOX.www > TYO112.gate.nec.co.jp.40363: R 0:0(0) ack 215372390 win 0 (DF) 19:43:00.496312 TYO112.gate.nec.co.jp.40364 > KURO-BOX.www: S 215460353:215460353(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.496395 KURO-BOX.www > TYO112.gate.nec.co.jp.40364: R 0:0(0) ack 215460354 win 0 (DF) 19:43:00.517155 TYO112.gate.nec.co.jp.40365 > KURO-BOX.www: S 215514773:215514773(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.517238 KURO-BOX.www > TYO112.gate.nec.co.jp.40365: R 0:0(0) ack 215514774 win 0 (DF) 19:43:00.537998 TYO112.gate.nec.co.jp.40366 > KURO-BOX.www: S 215591460:215591460(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.538084 KURO-BOX.www > TYO112.gate.nec.co.jp.40366: R 0:0(0) ack 215591461 win 0 (DF) 19:43:00.558851 TYO112.gate.nec.co.jp.40369 > KURO-BOX.www: S 215637821:215637821(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.558933 KURO-BOX.www > TYO112.gate.nec.co.jp.40369: R 0:0(0) ack 215637822 win 0 (DF) 19:43:00.579732 TYO112.gate.nec.co.jp.40371 > KURO-BOX.www: S 215722455:215722455(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.579814 KURO-BOX.www > TYO112.gate.nec.co.jp.40371: R 0:0(0) ack 215722456 win 0 (DF) 19:43:00.600633 TYO112.gate.nec.co.jp.40372 > KURO-BOX.www: S 215797426:215797426(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.600707 KURO-BOX.www > TYO112.gate.nec.co.jp.40372: R 0:0(0) ack 215797427 win 0 (DF) 19:43:00.621433 TYO112.gate.nec.co.jp.40373 > KURO-BOX.www: S 215843733:215843733(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.621517 KURO-BOX.www > TYO112.gate.nec.co.jp.40373: R 0:0(0) ack 215843734 win 0 (DF) 19:43:00.642385 TYO112.gate.nec.co.jp.40374 > KURO-BOX.www: S 215887537:215887537(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.642467 KURO-BOX.www > TYO112.gate.nec.co.jp.40374: R 0:0(0) ack 215887538 win 0 (DF) 19:43:00.669181 TYO112.gate.nec.co.jp.40375 > KURO-BOX.www: S 215941071:215941071(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.669264 KURO-BOX.www > TYO112.gate.nec.co.jp.40375: R 0:0(0) ack 215941072 win 0 (DF) 19:43:00.690059 TYO112.gate.nec.co.jp.40376 > KURO-BOX.www: S 216015270:216015270(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.690142 KURO-BOX.www > TYO112.gate.nec.co.jp.40376: R 0:0(0) ack 216015271 win 0 (DF) 19:43:00.710950 TYO112.gate.nec.co.jp.40377 > KURO-BOX.www: S 216066985:216066985(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.711036 KURO-BOX.www > TYO112.gate.nec.co.jp.40377: R 0:0(0) ack 216066986 win 0 (DF) 19:43:00.731801 TYO112.gate.nec.co.jp.40378 > KURO-BOX.www: S 216101410:216101410(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.731874 KURO-BOX.www > TYO112.gate.nec.co.jp.40378: R 0:0(0) ack 216101411 win 0 (DF) 19:43:00.752725 TYO112.gate.nec.co.jp.40379 > KURO-BOX.www: S 216191843:216191843(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.752809 KURO-BOX.www > TYO112.gate.nec.co.jp.40379: R 0:0(0) ack 216191844 win 0 (DF) 19:43:00.773612 TYO112.gate.nec.co.jp.40380 > KURO-BOX.www: S 216263306:216263306(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.773694 KURO-BOX.www > TYO112.gate.nec.co.jp.40380: R 0:0(0) ack 216263307 win 0 (DF) 19:43:00.794807 TYO112.gate.nec.co.jp.40381 > KURO-BOX.www: S 216333040:216333040(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.794890 KURO-BOX.www > TYO112.gate.nec.co.jp.40381: R 0:0(0) ack 216333041 win 0 (DF) 19:43:00.815281 TYO112.gate.nec.co.jp.40382 > KURO-BOX.www: S 216366307:216366307(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.815366 KURO-BOX.www > TYO112.gate.nec.co.jp.40382: R 0:0(0) ack 216366308 win 0 (DF) 19:43:00.836180 TYO112.gate.nec.co.jp.40383 > KURO-BOX.www: S 216401225:216401225(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.836254 KURO-BOX.www > TYO112.gate.nec.co.jp.40383: R 0:0(0) ack 216401226 win 0 (DF) 19:43:00.856993 TYO112.gate.nec.co.jp.40384 > KURO-BOX.www: S 216455480:216455480(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.857075 KURO-BOX.www > TYO112.gate.nec.co.jp.40384: R 0:0(0) ack 216455481 win 0 (DF) 19:43:00.877892 TYO112.gate.nec.co.jp.40385 > KURO-BOX.www: S 216522065:216522065(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.877973 KURO-BOX.www > TYO112.gate.nec.co.jp.40385: R 0:0(0) ack 216522066 win 0 (DF) 19:43:00.898757 TYO112.gate.nec.co.jp.40386 > KURO-BOX.www: S 216592983:216592983(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.898838 KURO-BOX.www > TYO112.gate.nec.co.jp.40386: R 0:0(0) ack 216592984 win 0 (DF) 19:43:00.919555 TYO112.gate.nec.co.jp.40387 > KURO-BOX.www: S 216682906:216682906(0) win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp[|tcp]> (DF) 19:43:00.919637 KURO-BOX.www > TYO112.gate.nec.co.jp.40387: R 0:0(0) ack 216682907 win 0 (DF) port 80は閉じてあるのでResetを返答するだけなのだが、一見するとSYN flood攻撃としか見えない1秒の間に数十の異なるSYNパケットを送信してきている。 こういうことがまかり通るとは世も末である。今回のポート閉塞と直接の因果関係はないと思われるが、ちょっといやなものを見てしまった感じだ。 |
スレッド表示 | 新しいものから | 前のトピック | 次のトピック | トップ |
投稿するにはまず登録を | |