Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Chris (christian.ritterat_private)
Date: Fri Dec 20 2002 - 12:53:16 PST

Previous message: Jonathan Rickman: "Re: Virus? Trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Same at my network here in germany.
Has anybody an idea?

Regards Chris


----- Original Message -----
From: "Tomasz Papszun" <tomek-incidat_private>
To: <incidentsat_private>
Sent: Thursday, January 30, 2003 7:03 PM
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with
spoofed microsoft.com ip)


> On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> > On Wed, 29 Jan 2003 21:46:53 +1100,
> > Michael Rowe <mroweat_private> wrote:
> > >I received a packet on my cable modem today, allegedly from
> > >microsoft.com:
> > >
> > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
> >
> > I am seeing a lot of sync/ack packets from port 80 to non-existent
> > addresses on my networks.  Somebody is spoofing source addresses to
> > attack hosts, we are just innocent victims.  When will ISPs learn that
> > they should filter their customer's packets to prevent spoofing?  I am
> > even seeing syn/ack packets from 255.255.255.255:80!
> >
>
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
>
> --
>  Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
>  tomekat_private   http://www.lodz.tpsa.pl/   | ones and zeros.
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Previous message: Jonathan Rickman: "Re: Virus? Trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 12:02:35 PST