Re: sinister packets ???

["Ryan Russell" <Ryan.Russell () sybase com>]

> I noticed anomalies in traffic destined for our web site. I've
> culled the traffic directed to/from port 80 and this is what
> remains.
>
> 16:51:49.213944 194.222.69.5.30974 > 209.47.237.52.28: SRP
2029912092:2029912092(0) ack 2029912092 win 28 urg 28
> <opt-120:001c78fe001c4141454d2b7179530d0a434c4b784361434d66765954426961754b435962466a4e360000000000000000002000000000686f73742031393
> 42e3232322e36392e35000000000000000000007800000000002800000000000c0015000400000800002000000000001a00150800c2de4505002000000000001e0
> 0150607c2de450500150100000008060015000500008035002000000000001c00150200c2de4505002000000000002600150001c2de45050006000000000060000
> 60000   c     P                                                 P   @
P     -   P P                   P ` | -   P P   P           `   P   P       P
P     -   P P               `   P     -   P P   `
> `
0000000000002010000c7d1831363a35313a33382e353632383331203139342e3232322e36392e352e32313533203e203230392e34372e323337>

(DF)

FYI, I've had similar in the past.  They coincided with a set of severe
performance problems
with my Firewall-1 firewall, which I was able to tune away with some memory
settings.

They stuck out in my mind because they were coming from obviously illegal source
addresses
(which I don't see in your sample) and because they started out all going to
port 80.  Also,
there was nonsense URG data, like here.

I couldn't determine any reason for the traffic.  It went on for days after the
DoS was
unsuccessful.  I would tend to think it was some sort of misconfig, or
misbehaving
piece of equipment.


The paranoid in me says that it was traffic to mask some sort of real attempt.

                                   Ryan