Packet from port 80 with spoofed microsoft.com ip

From: Michael Rowe (mrowe@mojain.com)
Date: 01/29/03

  • Next message: jeremy.ford@advancepcs.com: "RE: MSDE contained in..."
    Date: Wed, 29 Jan 2003 21:46:53 +1100
    From: Michael Rowe <mrowe@mojain.com>
    To: incidents@securityfocus.com
    
    

    Hi,

    I received a packet on my cable modem today, allegedly from
    microsoft.com:

    18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

    $ host 207.46.249.190
    Name: www.domestic.microsoft.com
    Address: 207.46.249.190
    Aliases: microsoft.com microsoft.net www.us.microsoft.com

    No one was home at this time, and no computer running windows was
    active, so I'm pretty sure this was not legit traffic (unless it was a
    *very* delayed ack from a microsoft server, like > 6 hours. I guess
    this is conceivable, given their current, er, issues :).

    Is this some sort of known "attack"? Or just random weiredness?

    Cheers,

    -- 
    Michael Rowe <mrowe@mojain.com>
    IM  - mrowe@jabber.org                Prof - ACM, IEEE, Computer Soc.
    Web - http://www.mojain.com/          Vice - Barley malt, brewed or
    Key - http://mojain.com/keys/mrowe.asc       distilled (hold the ice)
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • Re: Packet from port 80 with spoofed microsoft.com ip
      ... > MR> I received a packet on my cable modem today, ... > MR> $ host 207.46.249.190 ... OrgName: Microsoft Corp ...
      (Incidents)
    • Re: Strange pings from 127.0.0.1
      ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
      (Security-Basics)
    • [Full-disclosure] Making unidirectional VLAN and PVLAN jumping bidirectional
      ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
      (Full-Disclosure)
    • Making unidirectional VLAN and PVLAN jumping bidirectional
      ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
      (Bugtraq)
    • Re: Man in the middle: get packets that are destined for other ethernet card
      ... host A - 192.168.1.1 ... QUEUE (NFQUEUE mechanisms to be more precise). ... Packet A->B - works fine, goes to NFQUEUE and can be modified by ... Securing Apache Web Server with thawte Digital Certificate ...
      (Security-Basics)