dDoS tool

["Daniel F. Chief Security Engineer -" <danielf () supportteam net>]

Has anyone seen a dDoS tool that spoofs packets with the following sig. 

17:31:00.586927 146.201.0.0.1525 > x.x.x.x.53: S 863830016:863830016(0) win 
16384
17:31:00.587631 159.16.0.0.1881 > x.x.x.x.53: S 1406468096:1406468096(0) win 
16384
17:31:00.588101 146.202.0.0.1487 > x.x.x.x.53: S 1303183360:1303183360(0) win 
16384
17:31:00.588453 153.52.0.0.1713 > x.x.x.x.53: S 584646656:584646656(0) win 
16384
17:31:00.588687 125.80.0.0.1719 > x.x.x.x.53: S 1109524480:1109524480(0) win 
16384
17:31:00.588806 19.84.0.0.1098 > x.x.x.x.53: S 984547328:984547328(0) win 
16384
17:31:00.589039 184.36.0.0.1410 > x.x.x.x.53: S 537985024:537985024(0) win 
16384
17:31:00.589157 158.247.0.0.1446 > x.x.x.x.53: S 1401094144:1401094144(0) win 
16384

All the ips that were attacking us ended in 0.0, which we all know those IPs 
should not be sending packets to the internet to begin with. We were seeing 
this for every IP 0.0.0.0 - 255.255.0.0 coming inbound. 

Thanks for anyhelp.

-- 
Daniel Fairchild - Chief Security Engineer | danielf () supportteam net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html