Packet from port 80 with spoofed microsoft.com ip

From: Michael Rowe (mrowe@mojain.com)
Date: 01/29/03

  • Next message: jeremy.ford@advancepcs.com: "RE: MSDE contained in..." 
    Date: Wed, 29 Jan 2003 21:46:53 +1100
From: Michael Rowe <mrowe@mojain.com>
To: incidents@securityfocus.com

    Hi,

    I received a packet on my cable modem today, allegedly from
    microsoft.com:

    18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

    $ host 207.46.249.190
    Name: www.domestic.microsoft.com
    Address: 207.46.249.190
    Aliases: microsoft.com microsoft.net www.us.microsoft.com

    No one was home at this time, and no computer running windows was
    active, so I'm pretty sure this was not legit traffic (unless it was a
    *very* delayed ack from a microsoft server, like > 6 hours. I guess
    this is conceivable, given their current, er, issues :).

    Is this some sort of known "attack"? Or just random weiredness?

    Cheers, 

    -- 
Michael Rowe <mrowe@mojain.com>
IM  - mrowe@jabber.org                Prof - ACM, IEEE, Computer Soc.
Web - http://www.mojain.com/          Vice - Barley malt, brewed or
Key - http://mojain.com/keys/mrowe.asc       distilled (hold the ice)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: Packet from port 80 with spoofed microsoft.com ip
      ... > MR> I received a packet on my cable modem today, ... > MR> $ host 207.46.249.190 ... OrgName: Microsoft Corp ...
      (Incidents)
    • Re: Strange pings from 127.0.0.1
      ... I know you said the MAC address is also spoofed but this might help anyway: ... that are reporting port scans to their network all of which have a source ... Infected host picks address as source address and sends Syn packet to ... TCP/IP stack receives packet, responds with reset (if there is nothing ...
      (Security-Basics)
    • [Full-disclosure] Making unidirectional VLAN and PVLAN jumping bidirectional
      ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
      (Full-Disclosure)
    • Making unidirectional VLAN and PVLAN jumping bidirectional
      ... Wepwedgie, a tool by Anton Rager for traffic injection on 802.11 networks protected by WEP, solves the problem of unidirectional communication by bouncing packets from the target host to a third external host under the attackers control. ... We employ exactly the same principle to bypass both VLAN and PVLAN network segmentation. ... The attacker tags his malicious data with two 802.1q tags and sends the packet with a spoofed source IP of a host under his or her control. ...
      (Bugtraq)
    • Re: Tons of Source port 80 to random Dest Port Traffic
      ... from the same consumer DSL equipment) that have a src port of 80 and a ... Host is not a proxy, just a firewalled webserver with only port 80 ... ACK is the first reply packet when attempting to establish a TCP ... From Q1, Q2, If the host is not a proxy server and there are SYN packets. ...
      (Security-Basics)