Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: Gary Flynn (flynngn@jmu.edu)
Date: 01/30/03
- Previous message: Peter Triller: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Next in thread: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Jan 2003 16:12:30 -0500 From: Gary Flynn <flynngn@jmu.edu> To: Tomasz Papszun <tomek-incid@lodz.tpsa.pl>
Tomasz Papszun wrote:
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
I noticed these too. Mine have the Ack and Reset bits set. Varying TTL
and ACK numbers. Started Jan 29 around 1500 EST. Coming in every few
seconds.
I haven't found anything going out that would cause
it.
Some kind of back scatter?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-14:34:56.589287 255.255.255.255:80 -> InternalAddress:14236
TCP TTL:238 TOS:0x0 ID:35439 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x231F0001 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-14:35:07.893039 255.255.255.255:80 -> InternalAddress:27089
TCP TTL:239 TOS:0x0 ID:56658 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x3B750001 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-14:35:09.084256 255.255.255.255:80 -> InternalAddress:30686
TCP TTL:240 TOS:0x0 ID:44866 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x41A60001 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-14:35:16.911968 255.255.255.255:80 -> InternalAddress:28140
TCP TTL:243 TOS:0x0 ID:53522 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x78E20001 Win: 0x0 TcpLen: 20
-- Gary Flynn Security Engineer - Technical Services James Madison University ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Previous message: Peter Triller: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Next in thread: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
