RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Loki (loki@fatelabs.com)
Date: 01/31/03

  • Next message: Stephen A. Santos: "RE: klez variant??" 
    From: "Loki" <loki@fatelabs.com>
To: "'Tomasz Papszun'" <tomek-incid@lodz.tpsa.pl>, <incidents@securityfocus.com>
Date: Thu, 30 Jan 2003 19:58:12 -0600

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    That's really sad. You would think if they aren't going to do any "advanced" filtering, they would at least filter broadcast packets from network ingress. I've even seen ISP's allowing RFC1918 addresses in *sigh*

    ESH

    =====================================================
    Eric Hines
    Chairman, CEO, President
    Applied Watch Technologies
    "Innovations in Threat Management Technology Through
    Web to Desktop Convergence"
    - -----------------------------------------------------
    [w] http://www.appliedwatch.com
    [e] eric.hines@appliedwatch.com
    [p] (412) 303-3115
    - -----------------------------------------------------
    [a] Applied Watch Technologies
        149 Rossmor Court
        Pittsburgh, PA. 15229
    - -----------------------------------------------------
    This transmission may contain information that is
    privileged, confidential and/or exempt from disclosure
    under applicable law. If you are not the intended
    recipient, you are hereby notified that any disclosure,
    copying, distribution, or use of the information
    contained herein (including any reliance thereon) is
    STRICTLY PROHIBITED. If you received this transmission
    in error, please immediately contact the sender and
    destroy the material in its entirety, whether in
    electronic or hard copy format. Thank you.

    =====================================================

    - -----Original Message-----
    From: Tomasz Papszun [mailto:tomek-incid@lodz.tpsa.pl]
    Sent: Thursday, January 30, 2003 12:04 PM
    To: incidents@securityfocus.com
    Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

    On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
    > On Wed, 29 Jan 2003 21:46:53 +1100,
    > Michael Rowe <mrowe@mojain.com> wrote:
    > >I received a packet on my cable modem today, allegedly from
    > >microsoft.com:
    > >
    > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
    > >S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
    >
    > I am seeing a lot of sync/ack packets from port 80 to non-existent
    > addresses on my networks. Somebody is spoofing source addresses to
    > attack hosts, we are just innocent victims. When will ISPs learn that
    > they should filter their customer's packets to prevent spoofing? I am
    > even seeing syn/ack packets from 255.255.255.255:80!
    >

    Similarly at my networks.
    Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such packets started to come into my networks.

    All are TCP, from 255.255.255.255(80), destined to various random addresses (even not used) to various port numbers.

    This appearance is very noticeable. Before yesterday, single packets from 255.255.255.255 were coming in rate about one for three weeks. Since yesterday there have been about 1680 for 22 hours.

    - --
     Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
     tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.

    - ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPjnXxorSwundLmFJEQI8SwCgosnRcBFAGXWKrBBJGVjDbcOa9hgAoJ8g
    7wWDgEc9IdeTO0+g5T4M5wLW
    =coF2
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com