On Thursday 30 January 2003 03:31, Keith Owens wrote: >I am seeing a lot of sync/ack packets from port 80 to non-existent >addresses on my networks. Somebody is spoofing source addresses to >attack hosts, we are just innocent victims. When will ISPs learn that >they should filter their customer's packets to prevent spoofing? I am >even seeing syn/ack packets from 255.255.255.255:80! Ditto, started getting these earlier on today (and also others from there going to 1080 and 3128). They definitely _aren't_ backscatter but I'm equally amazed that they get through. Interestingly snort fingered some of the port 80 probes as possible Backdoor Q accesses. cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 10:35:00 PST