Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Geert Kiers (kweb@kweb.on.ca)
Date: 02/02/03

  • Next message: Frederic Harster: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)" 
    Date: Sun, 02 Feb 2003 12:45:32 -0500
To: incidents@securityfocus.com
From: Geert Kiers <kweb@kweb.on.ca>

    Greetings:

    First time contributor and not too well informed but hoping to add to the
    understanding of the issue at hand.

    I have been following this thread and its predecessor for the past few
    days. Having some time available, I elected to check one of my snort alert
    logs for occurances of the address 255.255.255.255. I found one. Then I
    checked prvoious recent logs and found not others. Here is the one and
    only one which snort recorded:

    [**] ICMP Destination Unreachable (Undefined Code!) [**]
    01/30-06:44:51.542691 211.172.208.11 -> a_KWeb_host_ip
    ICMP TTL:39 TOS:0x0 ID:10599 IpLen:20 DgmLen:76
    Type:3 Code:2 DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
    ** ORIGINAL DATAGRAM DUMP:
    a_KWeb_host_ip:29085 -> 255.255.255.255:80
    TCP TTL:129 TOS:0x0 ID:13954 IpLen:20 DgmLen:40
    ******** Seq: 0x5AA00000 Ack: 0xD3ED Win: 0xFFFF TcpLen: 52
    ** END OF DUMP

    The ip address of our host has been replaced with 'a_KWeb_host_ip'.
    The host is a Win NT 4 server sp6a (if it matters?). Since I have found
    only one, I am assuming that our host ip was spoofed and because I have
    snort logging everything it can, I happened to record this contribution.

    It means very little to me, but I hope it may help your understanding.

    Regards,

    Geert

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • RE: just starting as Traffic Analyst
      ... GIAC Certified Intrusion Analysts have the knowledge, skills, and abilities to configure and monitor intrusion detection systems, and to read, interpret, and analyze network traffic and related log files. ... The candidate will show a fundamental understanding of abnormal looking network traffic that results from specific hacking techniques. ... The candidate will demonstrate a fundamental understanding of advanced Snort concepts such as rule ordering, ... Information Assurance/Network Security Manager ...
      (Security-Basics)
    • Re: Expect & Multiprocessor Host Anomaly
      ... > host and have since observed some odd behavior that defies my ... > curveball here is that on single processor machines I never get the 'eof' ... On a multprocessor host the ... Either your system is fundamentally broken or my understanding is. ...
      (comp.lang.tcl)
    • RE: Unwrap returns VT_RECORD instead of VT_DISPATCH??
      ... Based on my understanding, so far you can host the managed C++ in the ... If I have any misunderstanding, please feel free to post here. ... Get Secure! ...
      (microsoft.public.dotnet.framework.interop)
    • Re: Remoting using http limited?
      ... it is my understanding that you will get that limit only if you host ... the object in iis. ... The real question is why are you trying to pass ...
      (microsoft.public.dotnet.framework.remoting)
    • Re: Kelly Earnhardt ???????
      ... Apparently you hooked two at once there, Dan. ... Snort! ... Yer so far from understanding an inside joke, ...
      (rec.autos.sport.nascar)