Need a little help

30FTTC06 · ‎18-02-2013

Can anybody explain what may be happening here please.
<84> Oct 6 10:59:41 IDS proto parser : tcp null port (1 of 2) : 192.99.37.41 83.216.143.115 0060 TCP 0->0 [S..RUP] seq 1578576465 win 6667
<84> Oct 6 11:07:53 IDS proto parser : tcp null port (1 of 1) : 211.110.212.10 83.216.143.115 0060 TCP 0->0 [S.AR..] seq 1578576465 ack 0 win 6667
<84> Oct 6 11:10:07 IDS proto parser : tcp null port (1 of 1) : 220.164.135.133 83.216.143.115 0060 TCP 0->0 [......] seq 3281651313 win 6667
<84> Oct 6 11:17:40 IDS proto parser : tcp null port (1 of 1) : 5.79.16.99 83.216.143.115 0060 TCP 0->0 [....U.] seq 624634229 win 6667
<84> Oct 6 11:21:24 IDS proto parser : tcp null port (1 of 1) : 195.154.107.243 83.216.143.115 0060 TCP 0->0 [.....P] seq 624639109 win 6667
<84> Oct 6 11:24:45 IDS proto parser : tcp null port (1 of 1) : 195.5.177.162 83.216.143.115 0060 TCP 0->0 [S.A..P] seq 1540996429 ack 0 win 6667
<84> Oct 6 11:26:14 IDS proto parser : tcp null port (1 of 1) : 82.222.7.139 83.216.143.115 0060 TCP 0->0 [S.A.U.] seq 1578576465 ack 0 win 6667
<84> Oct 6 11:27:33 IDS proto parser : tcp null port (1 of 1) : 185.54.0.21 83.216.143.115 0060 TCP 0->0 [SFA.U.] seq 624639109 ack 0 win 6667
<84> Oct 6 11:31:40 IDS proto parser : tcp null port (1 of 1) : 5.57.224.154 83.216.143.115 0060 TCP 0->0 [..ARUP] seq 624639109 ack 0 win 6667
<84> Oct 6 11:33:12 IDS proto parser : tcp null port (1 of 1) : 184.106.94.25 83.216.143.115 0060 TCP 0->0 [...RUP] seq 3233450190 win 6667
<84> Oct 6 11:41:13 IDS proto parser : tcp null port (1 of 1) : 202.225.0.127 83.216.143.115 0060 TCP 0->0 [.F...P] seq 3237042638 win 6667
<84> Oct 6 11:47:56 IDS proto parser : tcp null port (1 of 1) : 23.239.151.65 83.216.143.115 0060 TCP 0->0 [..ARU.] seq 3233450190 ack 0 win 6667
<84> Oct 6 11:58:42 IDS proto parser : tcp null port (1 of 2) : 80.86.81.28 83.216.143.115 0060 TCP 0->0 [S.ARU.] seq 3237042638 ack 0 win 6667
<84> Oct 6 12:00:17 IDS proto parser : tcp null port (1 of 1) : 46.184.254.122 83.216.143.115 0060 TCP 0->0 [S..RUP] seq 624639109 win 6667
<84> Oct 6 12:02:38 IDS proto parser : tcp null port (1 of 1) : 37.59.9.109 83.216.143.115 0060 TCP 0->0 [S..RU.] seq 3281651313 win 6667
<84> Oct 6 12:03:54 IDS proto parser : tcp null port (1 of 1) : 81.91.83.77 83.216.143.115 0060 TCP 0->0 [S..R..] seq 1054004090 win 6667
<84> Oct 6 12:09:30 IDS proto parser : tcp null port (1 of 2) : 31.204.159.14 83.216.143.115 0060 TCP 0->0 [.FA..P] seq 1578576465 ack 0 win 6667
<84> Oct 6 12:11:51 IDS proto parser : tcp null port (1 of 2) : 195.70.38.188 83.216.143.115 0060 TCP 0->0 [...R.P] seq 1540996429 win 6667
<84> Oct 6 12:17:17 IDS proto parser : tcp null port (1 of 1) : 188.226.164.184 83.216.143.115 0060 TCP 0->0 [..A.U.] seq 1578576465 ack 0 win 6667
<84> Oct 6 12:20:14 IDS proto parser : tcp null port (1 of 2) : 211.110.212.8 83.216.143.115 0060 TCP 0->0 [.F.R.P] seq 3281651313 win 6667
<84> Oct 6 12:21:57 IDS proto parser : tcp null port (1 of 1) : 195.154.97.60 83.216.143.115 0060 TCP 0->0 [SFARUP] seq 624639109 ack 0 win 6667
<84> Oct 6 12:25:50 IDS proto parser : tcp null port (1 of 1) : 95.110.202.254 83.216.143.115 0060 TCP 0->0 [...RU.] seq 1054004090 win 6667
It's been going on for a few days now, I've turned everything off apart from 2 AP's a local cache and my samknows box, I also changed ip about 20 mins ago and it is still happening.

ejs · ‎10-06-2010

I think I noticed a few tcp port zero to port zero packets in the firewall log also. Don't take it personally.

30FTTC06 · ‎18-02-2013

Cheers ejs,
I've ~~not~~ never seen that amount of stray packets hitting me every few minutes in all honesty

npr · ‎21-01-2013

Whatever it is I have the same here, 352 in the log most of which are for today.
eg:
ids signature list
tcp_null_port proto 352 log, drop enabled

30FTTC06 · ‎18-02-2013

Thanks for the command npr

Every few minutes for me, something new I dare say.

npr · ‎21-01-2013

I changed my IP address after my previous post, I haven't had a "tcp_null_port" scan since.

ejs · ‎10-06-2010

I saw some (46 in total) yesterday, I had a 46.208. IP then. I re-connected at about 7am this morning, now I have a 87.115. IP and the tcp port zero packets are still arriving (359 in total today so far).

Terranova667 · ‎19-02-2014

I have a ton of them also and i'm on a 87 IP to, no idea what's causing it

30FTTC06 · ‎18-02-2013

I might try another hop, but not tonight for fear of being lynched by the mob!
npr, would you care to enlighten us on which gateway/ip range you're on

ejs · ‎10-06-2010

Found this: Spoofed packets with Window Size 6667: Anybody else seeing this?
Not a lot of extra information unfortunately.

npr · ‎21-01-2013

Was previously on 46.208.119.??? when I was getting lots of "tcp_null_port" scans
Now on 87.114.85.??? since 2:05pm, only had one tcp_null_port scan at 8:15pm.

30FTTC06 · ‎18-02-2013

Cheers npr, I'll try tomorrow.
@ejs the only thing I see other than that is the usb saga.
Edit; added
in the last 10 minutes
tcp_null_port proto 3 log, drop
<84> Oct 6 20:51:27 IDS proto parser : tcp null port (1 of 1) : 209.94.191.202 87.113.249. 0060 TCP 0->0 [SFARU.] seq 1054004090 ack 0 win 6667
<84> Oct 6 20:53:01 IDS proto parser : tcp null port (1 of 1) : 221.12.172.35 87.113.249. 0060 TCP 0->0 [..ARU.] seq 1578576465 ack 0 win 6667
<84> Oct 6 20:56:57 IDS proto parser : tcp null port (1 of 1) : 192.95.30.185 87.113.249. 0060 TCP 0->0 [SFA.U.] seq 1540996429 ack 0 win 666

Marklichfield · ‎06-10-2014

I have been getting the same thing, but not just on plusnet. I also have it on my BT line and my Zen line. It's been happening since 10:13 PM on Sunday. The Internet Storm Centre seem to have noticed too:
https://isc.sans.edu/forums/diary/Spoofed+packets+with+Window+Size+6667+Anybody+else+seeing+this/187...
No idea what it is, but I have reported it to all 3 ISPs I know are affected.
UPDATE at 7:45 Am on Tuesday - it stopped at 1:55 AM this morning.

30FTTC06 · ‎18-02-2013

Hi Marklichfield,
Thank you for the info, mine also appears to stop at 1:53:03.
<84> Oct 7 01:53:32 IDS proto parser : tcp null port (1 of 1) : 64.187.123.252 195.166.136.xx 0060 TCP 0->0 [..A...] seq 62463910
ack 0 win 6667
Have you got any wisdom on this plusnet ?

Acassim · ‎11-06-2007

Afternoon all,
While there have no doubt been a few reports on this flying around the internet, we haven't had anything flagged internally that would cast any light on what this was. I've just reached out to a friend who works in the network security outside of the company to see if they've picked anything up so I'll post back if we get some details.

Need a little help

Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help

Re: Need a little help