I saw these packets as well, 814 of them over a 24 hour period starting on the 29th. The inbound ACL on the Cisco stopped them. Jan 30 11:27:36 cahe-prosser 4951: 1w6d: %SEC-6-IPACCESSLOGP: list 165 denied tcp 255.255.255.255(80) -> aaa.www.xxx.yyy(27127), 1 packet You are right that they do not make sense. They hit the entire range of IP's in a fairly random order and random ports. The old smurf style attacks used to take this form but targeted specific ports such as 19. Guy On Fri, 31 Jan 2003, Peter Triller wrote: > >I am seeing a lot of sync/ack packets from port 80 to non-existent > >addresses on my networks. Somebody is spoofing source addresses to > >attack hosts, we are just innocent victims. When will ISPs learn that > >they should filter their customer's packets to prevent spoofing? I am > > even seeing syn/ack packets from 255.255.255.255:80! > > I cant see much reason in such packets, since they wont give any feedback. > sport 80 is obviously to bypass some firewalls. > But if he doesnt get feedback only 2 reasons pop into mind: > - an attack similar to the worm , but the random ports don't make sense then > - a very badly configured and/or broken piece of software/hadware. > > > > Peter > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 07:46:07 PST