RE: Lots of initial TCP packets with same sequence number

André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> · Tue, 2 Jan 2018 09:11:11 +0000

That is quite normal , portscanning over short periods will have massive amounts of random SOURCE IP's looking for same set of open ports to exploit .
Typically that will if using the same tool ( or same settings on the tool ) come up with identical SEQUENCE and SOURCE PORTS also .

After some weeks they might change slightly or come from another set off "identicals" , doing the same stuff or using similar tools .

Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of James
Sent: Monday, January 1, 2018 3:10 PM
To: Netfilter Users Mailing list <netfilter@xxxxxxxxxxxxxxx>
Subject: Lots of initial TCP packets with same sequence number

About 24 hours ago, I decided to start logging sequence numbers for the TCP "ct state new" packets that I drop in my initial screening rules.

The result appears quite fascinating... and smells quite fishy: just about half of these packets have the same (non-zero) sequence number.

The destination ports are mostly 23, trailing off to 22, 2323, and 2222, which only further adds to the smell.

1) Is anyone else seeing this?

2) Does anyone know what this is?

Thanks.

-- 

  - James
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kernel.org%2Fmajordomo-info.html&data=02%7C01%7C%7C76aa984a71d547d0dd1f08d5512247c3%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C0%7C636504130062792068&sdata=UbpzOQdFU%2FEtQ2JB%2BGC7onrKgMW%2B5sH8c8uJpQGDp%2F0%3D&reserved=0
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥