On Fri, 31 Jan 2003 at 3:01:49 +0100, Peter Triller wrote: > >I am seeing a lot of sync/ack packets from port 80 to non-existent > >addresses on my networks. Somebody is spoofing source addresses to > >attack hosts, we are just innocent victims. When will ISPs learn that > >they should filter their customer's packets to prevent spoofing? I am > > even seeing syn/ack packets from 255.255.255.255:80! > > I cant see much reason in such packets, since they wont give any feedback. I may be wrong - if so, please don't hesitate to correct me and explain what happens in such situation: Let's say that a router is configured (with ACLs) to deny packets from 255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP unreachable", doesn't it? These ICMP packets try to travel to... 255.255.255.255! Would'n it cause a multiplying? I know that a router/firewall may be configured to _not_ send "ICMP unreachables" but default is to send them. BTW, I seem to remember that _not_ sending "ICMP unreachables" is somehow against RFC... Of course security reasons for not sending them may be important (e.g. for hiding some network devices) but _formally_... it's a little not good :-) . > sport 80 is obviously to bypass some firewalls. Probably. > But if he doesnt get feedback only 2 reasons pop into mind: > - an attack similar to the worm , but the random ports don't make sense then If my sentences above make some sense, could it be a DDoS founded on flood of ICMP unreachables? > - a very badly configured and/or broken piece of software/hadware. > > Peter -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomekat_private http://www.lodz.tpsa.pl/ | ones and zeros. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:44:17 PST