Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Geert Kiers (kweb@kweb.on.ca)
Date: 02/02/03

  • Next message: Frederic Harster: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
    Date: Sun, 02 Feb 2003 12:45:32 -0500
    To: incidents@securityfocus.com
    From: Geert Kiers <kweb@kweb.on.ca>
    
    

    Greetings:

    First time contributor and not too well informed but hoping to add to the
    understanding of the issue at hand.

    I have been following this thread and its predecessor for the past few
    days. Having some time available, I elected to check one of my snort alert
    logs for occurances of the address 255.255.255.255. I found one. Then I
    checked prvoious recent logs and found not others. Here is the one and
    only one which snort recorded:

    [**] ICMP Destination Unreachable (Undefined Code!) [**]
    01/30-06:44:51.542691 211.172.208.11 -> a_KWeb_host_ip
    ICMP TTL:39 TOS:0x0 ID:10599 IpLen:20 DgmLen:76
    Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
    ** ORIGINAL DATAGRAM DUMP:
    a_KWeb_host_ip:29085 -> 255.255.255.255:80
    TCP TTL:129 TOS:0x0 ID:13954 IpLen:20 DgmLen:40
    ******** Seq: 0x5AA00000 Ack: 0xD3ED Win: 0xFFFF TcpLen: 52
    ** END OF DUMP

    The ip address of our host has been replaced with 'a_KWeb_host_ip'.
    The host is a Win NT 4 server sp6a (if it matters?). Since I have found
    only one, I am assuming that our host ip was spoofed and because I have
    snort logging everything it can, I happened to record this contribution.

    It means very little to me, but I hope it may help your understanding.

    Regards,

    Geert

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com