Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: Chris (christian.ritter@noc.homeunix.org)
Date: 12/20/02
- Previous message: Stephen A. Santos: "RE: klez variant??"
- In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Next in thread: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Chris" <christian.ritter@noc.homeunix.org> To: <incidents@securityfocus.com>, "Tomasz Papszun" <tomek-incid@lodz.tpsa.pl> Date: Fri, 20 Dec 2002 21:53:16 +0100
The Same at my network here in germany.
Has anybody an idea?
Regards Chris
----- Original Message -----
From: "Tomasz Papszun" <tomek-incid@lodz.tpsa.pl>
To: <incidents@securityfocus.com>
Sent: Thursday, January 30, 2003 7:03 PM
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with
spoofed microsoft.com ip)
> On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> > On Wed, 29 Jan 2003 21:46:53 +1100,
> > Michael Rowe <mrowe@mojain.com> wrote:
> > >I received a packet on my cable modem today, allegedly from
> > >microsoft.com:
> > >
> > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
> >
> > I am seeing a lot of sync/ack packets from port 80 to non-existent
> > addresses on my networks. Somebody is spoofing source addresses to
> > attack hosts, we are just innocent victims. When will ISPs learn that
> > they should filter their customer's packets to prevent spoofing? I am
> > even seeing syn/ack packets from 255.255.255.255:80!
> >
>
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
>
> --
> Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
> tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: JP Vossen: "RE: MSDE contained in..."
- Previous message: Stephen A. Santos: "RE: klez variant??"
- In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
- Next in thread: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
