Threat Level: green Handler on Duty: Mark Baggett

SANS ISC: ACK-SYNs from ICS IPs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ACK-SYNs from ICS IPs
Hi,
since the beginning of December I'm seeing a lot of blocked ACK-SYNs on my Sophos UTM firewall every day, which come all from IPs from this list: https://isc.sans.edu/feeds/topips.txt
As far as I can see I have no system which is try to establish a connection to one of this IP addresses.

The source port is always TCP/80 and the destination port is always TCP/28987. Mostly the "attack" begins around 04:00a.m. CET and ends around 05:00p.m CET, but sometimes it's going on the whole day.
Here's an example from my log:

2016:12:19-04:08:53 jasnet ulogd[19766]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="xx:xx:xx:xx:xx:xx" dstmac="yy:yy:yy:yy:yy:yy" srcip="158.69.226.192" dstip="SOPHOS_UTM" proto="6" length="44" tos="0x00" prec="0x00" ttl="51" srcport="80" dstport="28987" tcpflags="ACK SYN"

I guess it's nothing bad, but I would like to understand what's going on.

Thank you,
Jas
JasMan

2 Posts
It looks like someone is spoofing your address to make these connections. This is a common technique to either DDoS these targets, or DDoS you with the reply traffic. Some devices will flood a network with SYN-ACKs if you don't reply with a Reset (try to configure your firewall to not just drop the packets, but to send a reset back. this may reduce the attack volume) Johannes

2792 Posts
ISC Handler
Thank you for your fast reply.

I will try to force an IP change. Hope it will help.
JasMan

2 Posts
Did you consider setting syn-cookies if available on this device ? JL

1 Posts
As I work in Co-Sharing Work place. T do blogging and writing. But when i try to reach more sites of blog or articles, some show we don't allow 2 account on same IP and some times they show your IP is blacklisted. I mailed them but they didn't respond. Any solution for this. Maybe other colleagues in this working place done something terrible on these sites. but is there anyway by that i can Get one new unique ip by that i can access those sites. thenortonsetup

1 Posts

Sign Up for Free or Log In to start participating in the conversation!