Packet from port 80 with spoofed microsoft.com ip

From: Michael Rowe (mrowe@mojain.com)
Date: 01/29/03

  • Next message: jeremy.ford@advancepcs.com: "RE: MSDE contained in..."
    Date: Wed, 29 Jan 2003 21:46:53 +1100
    From: Michael Rowe <mrowe@mojain.com>
    To: incidents@securityfocus.com
    
    

    Hi,

    I received a packet on my cable modem today, allegedly from
    microsoft.com:

    18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

    $ host 207.46.249.190
    Name: www.domestic.microsoft.com
    Address: 207.46.249.190
    Aliases: microsoft.com microsoft.net www.us.microsoft.com

    No one was home at this time, and no computer running windows was
    active, so I'm pretty sure this was not legit traffic (unless it was a
    *very* delayed ack from a microsoft server, like > 6 hours. I guess
    this is conceivable, given their current, er, issues :).

    Is this some sort of known "attack"? Or just random weiredness?

    Cheers,

    -- 
    Michael Rowe <mrowe@mojain.com>
    IM  - mrowe@jabber.org                Prof - ACM, IEEE, Computer Soc.
    Web - http://www.mojain.com/          Vice - Barley malt, brewed or
    Key - http://mojain.com/keys/mrowe.asc       distilled (hold the ice)
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com