-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good morning, everyone... Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Date: 31 Jan 2003 12:45:29 +1300 From: Russell Fulton <r.fultonat_private> To: Tomasz Papszun <tomek-incidat_private> Cc: incidentsat_private On Fri, 2003-01-31 at 07:03, Tomasz Papszun wrote: > Similarly at my networks. > Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such > packets started to come into my networks. > > All are TCP, from 255.255.255.255(80), destined to various random > addresses (even not used) to various port numbers. > > This appearance is very noticeable. Before yesterday, single packets > from 255.255.255.255 were coming in rate about one for three weeks. > Since yesterday there have been about 1680 for 22 hours. We are also seeing these, tcp flags are RST+ACK seq number and window size both zero and varying Ack and ttl. Not all addresses in our net are being hit, in one /24 I checked only two addresses have been probed. While I do not claim that what I am about to suggest has any bearing on similar incidents taking place, yesterday and the day before I saw a huge number of these packets on a DSL-attached network. Here is one sample: [pardon the line wrap] Jan 30 07:14:54 home kernel: Bad packet rejected=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:66:00:35:49:08:00 SRC=000.000.000.000 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=47753 PROTO=TCP SPT=28149 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 Some things I noticed right off: 1. The MAC addresses changed almost as if they were at will and even included ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff, which is really odd, since I don't believe it can do that. <no flames please, as I'm always learning> 2. All the packets targetted port 80 3. The address, for the most part (which is deleted from the sample) happens to be a server, and is broadcasting to the entire network, thus creating a substantial flood. Someone told me this morning that this may be an unpatched XP workstation running MS-Access, which seemed pretty odd, too. However, then I read up on the MSDE and it does seem possible. Thoughts, anyone? Dave - -- Dave Laird (Daveat_private) The Used Kharma Lot / The Phoenix Project Web Page: http://www.kharma.net updated 01/20/2003 Year 2 of running Mandrake Linux workstation on a 100% Microsoft-free system. An automatic & random thought For the Minute: Murphy's Law is recursive. Washing your car to make it rain doesn't work. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+OuMdaE1ENZP1A28RAoRLAJ4uRr/hWC3gYo2hY1kgPxA4N4KgMgCfVJzk ZVc9EW7JBpNyZ+RKEAmRDr8= =JMli -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:31:37 PST