I've been seeing the same thing. 255.255.255.255 scanning random IPs. Working to have it blocked now. Intrusion detection analyst >From: "Peter Triller" <ptrillerat_private> >To: <incidentsat_private> >Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 >with spoofed microsoft.com ip) >Date: Fri, 31 Jan 2003 03:01:49 +0100 > > >I am seeing a lot of sync/ack packets from port 80 to non-existent > >addresses on my networks. Somebody is spoofing source addresses to > >attack hosts, we are just innocent victims. When will ISPs learn that > >they should filter their customer's packets to prevent spoofing? I am > > even seeing syn/ack packets from 255.255.255.255:80! > >I cant see much reason in such packets, since they wont give any feedback. >sport 80 is obviously to bypass some firewalls. >But if he doesnt get feedback only 2 reasons pop into mind: >- an attack similar to the worm , but the random ports don't make sense >then >- a very badly configured and/or broken piece of software/hadware. > > > >Peter > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:29:03 PST