Has anyone seen a dDoS tool that spoofs packets with the following sig. 17:31:00.586927 146.201.0.0.1525 > x.x.x.x.53: S 863830016:863830016(0) win 16384 17:31:00.587631 159.16.0.0.1881 > x.x.x.x.53: S 1406468096:1406468096(0) win 16384 17:31:00.588101 146.202.0.0.1487 > x.x.x.x.53: S 1303183360:1303183360(0) win 16384 17:31:00.588453 153.52.0.0.1713 > x.x.x.x.53: S 584646656:584646656(0) win 16384 17:31:00.588687 125.80.0.0.1719 > x.x.x.x.53: S 1109524480:1109524480(0) win 16384 17:31:00.588806 19.84.0.0.1098 > x.x.x.x.53: S 984547328:984547328(0) win 16384 17:31:00.589039 184.36.0.0.1410 > x.x.x.x.53: S 537985024:537985024(0) win 16384 17:31:00.589157 158.247.0.0.1446 > x.x.x.x.53: S 1401094144:1401094144(0) win 16384 All the ips that were attacking us ended in 0.0, which we all know those IPs should not be sending packets to the internet to begin with. We were seeing this for every IP 0.0.0.0 - 255.255.0.0 coming inbound. Thanks for anyhelp. -- Daniel Fairchild - Chief Security Engineer | danielfat_private _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 10:57:06 PST