Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Gary Flynn (flynngnat_private)
Date: Thu Jan 30 2003 - 13:12:30 PST

Next message: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Previous message: Peter Triller: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tomasz Papszun wrote:

> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
> 
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
> 
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.

I noticed these too. Mine have the Ack and Reset bits set. Varying TTL
and ACK numbers. Started Jan 29 around 1500 EST. Coming in every few
seconds.

I haven't found anything going out that would cause
it.

Some kind of back scatter?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:34:56.589287 255.255.255.255:80 -> InternalAddress:14236
TCP TTL:238 TOS:0x0 ID:35439 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x231F0001  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:35:07.893039 255.255.255.255:80 -> InternalAddress:27089
TCP TTL:239 TOS:0x0 ID:56658 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x3B750001  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:35:09.084256 255.255.255.255:80 -> InternalAddress:30686
TCP TTL:240 TOS:0x0 ID:44866 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x41A60001  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:35:16.911968 255.255.255.255:80 -> InternalAddress:28140
TCP TTL:243 TOS:0x0 ID:53522 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x78E20001  Win: 0x0  TcpLen: 20


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Previous message: Peter Triller: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Loki: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Next in thread: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 11:34:04 PST