Re: Packet from port 80 with spoofed microsoft.com ip
From: dr john halewood (john@frumious.unidec.co.uk)
Date: 01/30/03
- Previous message: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- In reply to: Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: dr john halewood <john@frumious.unidec.co.uk> To: incidents@securityfocus.com Date: Thu, 30 Jan 2003 18:10:29 +0000
On Thursday 30 January 2003 03:31, Keith Owens wrote:
>I am seeing a lot of sync/ack packets from port 80 to non-existent
>addresses on my networks. Somebody is spoofing source addresses to
>attack hosts, we are just innocent victims. When will ISPs learn that
>they should filter their customer's packets to prevent spoofing? I am
>even seeing syn/ack packets from 255.255.255.255:80!
Ditto, started getting these earlier on today (and also others from there
going to 1080 and 3128). They definitely _aren't_ backscatter but I'm equally
amazed that they get through. Interestingly snort fingered some of the port
80 probes as possible Backdoor Q accesses.
cheers
john
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Previous message: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
- In reply to: Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"
- Next in thread: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
