RE: Tons of Source port 80 to random Dest Port Traffic

["David Gillett" <gillettdavid () fhda edu>]

  I see that all the time, mostly SYN-ACK packets (i.e., looks
like a response from a server to a machine on my network, except
where's the SYN from my net?).

Possibility 1:

  Remote servers are under SYN-flood attack using spoofed source
addresses.  Since your address was spoofed, you get the attacked 
server's reesponse attempt(s).

Possibility 2:

  I have occasionally seen IE appear to get fooled by this, and
enter into a TCP session that it didn't really initiate.  This
might be an attack verctor against other IE bugs.

David Gillett

 

> -----Original Message-----
> From: thayden () gmail com [mailto:thayden () gmail com] On Behalf 
> Of Tom Hayden
> Sent: Thursday, May 18, 2006 8:03 AM
> To: security-basics () securityfocus com
> Subject: Tons of Source port 80 to random Dest Port Traffic
>
> Attached is a quick short summary of traffic my server ( 
> xx.xx.xx.xx ) has been bombarded with lately.  It's a short 
> dump from tethereal.  I can't seem to figure it out - just 
> tons and tons of traffic coming from a source port of 80 to 
> seemingly random dest. ports.  Can someone help me identify this?
>
> Thanks!
>
> --
> Tom