Re: Packet from port 80 with spoofed microsoft.com ip

From: Keith Owens (kaos@ocs.com.au)
Date: 01/30/03

  • Next message: Bruce McLeod: "RE: MSDE contained in..." 
    From: Keith Owens <kaos@ocs.com.au>
To: incidents@securityfocus.com
Date: Thu, 30 Jan 2003 14:31:36 +1100

    On Wed, 29 Jan 2003 21:46:53 +1100,
    Michael Rowe <mrowe@mojain.com> wrote:
    >I received a packet on my cable modem today, allegedly from
    >microsoft.com:
    >
    >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>

    I am seeing a lot of sync/ack packets from port 80 to non-existent
    addresses on my networks. Somebody is spoofing source addresses to
    attack hosts, we are just innocent victims. When will ISPs learn that
    they should filter their customer's packets to prevent spoofing? I am
    even seeing syn/ack packets from 255.255.255.255:80!

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages