Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Peter Triller (ptriller@xebec.de)
Date: 01/31/03

Next message: Gary Flynn: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Previous message: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Gary Flynn: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Peter Triller" <ptriller@xebec.de>
To: <incidents@securityfocus.com>
Date: Fri, 31 Jan 2003 03:01:49 +0100

>I am seeing a lot of sync/ack packets from port 80 to non-existent
>addresses on my networks. Somebody is spoofing source addresses to
>attack hosts, we are just innocent victims. When will ISPs learn that
>they should filter their customer's packets to prevent spoofing? I am
> even seeing syn/ack packets from 255.255.255.255:80!

I cant see much reason in such packets, since they wont give any feedback.
sport 80 is obviously to bypass some firewalls.
But if he doesnt get feedback only 2 reasons pop into mind:
- an attack similar to the worm , but the random ports don't make sense then
- a very badly configured and/or broken piece of software/hadware.

Peter

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Gary Flynn: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Previous message: zmajd fully: "Re: Packet from port 80 with spoofed microsoft.com ip"
In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Gary Flynn: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
... Somebody is spoofing source addresses to ... >>attack hosts, ... > I cant see much reason in such packets, since they wont give any feedback. ... These ICMP packets try to travel to... ...
(Incidents)
Re: What is going on with my Dialup?
... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
(comp.os.linux.networking)
Re: Logs: Many hits with source port of 80
... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
(Incidents)
Re: Error 720 connecting to server via VPN
... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
(microsoft.public.windows.server.sbs)
tcp oddities.
... After syn-scanning an IP block, ... suprise there was an smtp server sitting on port 25. ... 1353 packets received by filter ... Ethical Hacking at the InfoSec Institute. ...
(Pen-Test)