>I am seeing a lot of sync/ack packets from port 80 to non-existent >addresses on my networks. Somebody is spoofing source addresses to >attack hosts, we are just innocent victims. When will ISPs learn that >they should filter their customer's packets to prevent spoofing? I am > even seeing syn/ack packets from 255.255.255.255:80! I cant see much reason in such packets, since they wont give any feedback. sport 80 is obviously to bypass some firewalls. But if he doesnt get feedback only 2 reasons pop into mind: - an attack similar to the worm , but the random ports don't make sense then - a very badly configured and/or broken piece of software/hadware. Peter ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:30:10 PST