Security Incidents mailing list archives
Re: Munged Napster Sessions
From: simond () IRRELEVANT ORG (simond () IRRELEVANT ORG)
Date: Fri, 17 Mar 2000 14:21:56 +0000
On Fri, Mar 17, 2000 at 05:19:22AM +0700, Vanja Hrustic wrote:
"Stephen P. Berry" wrote:Notably, the traffic of interest includes various bogus TCP flag combinations (everything from SYN-FIN packets to full Xmas packets), bogus TCP flags, and tiny fragments. In absence of the established napster session, the anomalous traffic would look powerfully like some sort of TCP fingerprinting attempt to me.A silly question: is any of sites involved located at *.demon.co.uk, by any chance? I think that quite many people these days are seeing false alarms caused by traffic which comes from demon. Demon blames it on "network equipment". For example, a guy (using demon.co.uk) is browsing my website, and during that session, a packet is sent to random high port (like 3xxxx). Packets are really strange; sometimes they have all bits set, sometimes not. I just got used to that :)
As far as I know they fixed that last year, it was due to some problem with their Ascend GRF's, I may be wrong though :) -- Simon Dick simond () irrelevant org
Current thread:
- Re: Port 6112, (continued)
- Re: Port 6112 Stuart Staniford-Chen (Mar 20)
- nbname scans Rick Tortorella (Mar 20)
- Port 27960 Stuart Staniford-Chen (Mar 17)
- Re: Port 27960 steve balla (Mar 20)
- Re: Port 27960 Odd Arne Beck (Mar 20)
- Re: Port 27960 David Groves (Mar 21)
- Re: Port 27960 Sean Birkholz (Mar 25)
- Followup Analysis of a Shaft DDoS Node and Master Richard Wash (Mar 28)
- Re: Port 27960 steve balla (Mar 28)
- Re: Port 27960 TJ Jablonowski (Mar 28)
- Re: Munged Napster Sessions simond () IRRELEVANT ORG (Mar 17)
- Re: Munged Napster Sessions Stuart Staniford-Chen (Mar 20)
- Re: Munged Napster Sessions Murray, Mike (Mar 20)