The Same at my network here in germany. Has anybody an idea? Regards Chris ----- Original Message ----- From: "Tomasz Papszun" <tomek-incidat_private> To: <incidentsat_private> Sent: Thursday, January 30, 2003 7:03 PM Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) > On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote: > > On Wed, 29 Jan 2003 21:46:53 +1100, > > Michael Rowe <mroweat_private> wrote: > > >I received a packet on my cable modem today, allegedly from > > >microsoft.com: > > > > > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460> > > > > I am seeing a lot of sync/ack packets from port 80 to non-existent > > addresses on my networks. Somebody is spoofing source addresses to > > attack hosts, we are just innocent victims. When will ISPs learn that > > they should filter their customer's packets to prevent spoofing? I am > > even seeing syn/ack packets from 255.255.255.255:80! > > > > Similarly at my networks. > Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such > packets started to come into my networks. > > All are TCP, from 255.255.255.255(80), destined to various random > addresses (even not used) to various port numbers. > > This appearance is very noticeable. Before yesterday, single packets > from 255.255.255.255 were coming in rate about one for three weeks. > Since yesterday there have been about 1680 for 22 hours. > > -- > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only > tomekat_private http://www.lodz.tpsa.pl/ | ones and zeros. > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 12:02:35 PST