Re: Packet from port 80 with spoofed microsoft.com ip
From: H C (keydet89@yahoo.com)
Date: 01/29/03
- Previous message: Thiago Conde Figueiró: "Re: Packet from port 80 with spoofed microsoft.com ip"
- In reply to: Michael Rowe: "Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Reply: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Jan 2003 12:01:42 -0800 (PST) From: H C <keydet89@yahoo.com> To: incidents@securityfocus.com
How does an ACK packet constitute an "attack"?
Did you run netstat on your system to view the states
of connections on that system?
How did you determine that the packet had been
spoofed?
--- Michael Rowe <mrowe@mojain.com> wrote:
> Hi,
>
> I received a packet on my cable modem today,
> allegedly from
> microsoft.com:
>
> 18:41:35.663374 207.46.249.190.80 >
> my.cable.modem.ip.1681: S866282571:866282571(0) ack
> 268566529 win 16384 <mss 1460>
>
> $ host 207.46.249.190
> Name: www.domestic.microsoft.com
> Address: 207.46.249.190
> Aliases: microsoft.com microsoft.net
> www.us.microsoft.com
>
> No one was home at this time, and no computer
> running windows was
> active, so I'm pretty sure this was not legit
> traffic (unless it was a
> *very* delayed ack from a microsoft server, like > 6
> hours. I guess
> this is conceivable, given their current, er, issues
> :).
>
> Is this some sort of known "attack"? Or just random
> weiredness?
>
> Cheers,
>
> --
> Michael Rowe <mrowe@mojain.com>
>
> IM - mrowe@jabber.org Prof - ACM,
> IEEE, Computer Soc.
> Web - http://www.mojain.com/ Vice - Barley
> malt, brewed or
> Key - http://mojain.com/keys/mrowe.asc
> distilled (hold the ice)
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: NESTING, DAVID M (SBCSI): "RE: Packet from port 80 with spoofed microsoft.com ip"
- Previous message: Thiago Conde Figueiró: "Re: Packet from port 80 with spoofed microsoft.com ip"
- In reply to: Michael Rowe: "Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Reply: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
