Security Incidents mailing list archives
Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Sun, 2 Feb 2003 18:33:12 +0100 (CET)
On Fri, 31 Jan 2003, Tomasz Papszun wrote:
On Fri, 31 Jan 2003 at 3:01:49 +0100, Peter Triller wrote:I am seeing a lot of sync/ack packets from port 80 to non-existent addresses on my networks. Somebody is spoofing source addresses to attack hosts, we are just innocent victims. When will ISPs learn that>they should filter their customer's packets to prevent spoofing? I ameven seeing syn/ack packets from 255.255.255.255:80!I cant see much reason in such packets, since they wont give any feedback.I may be wrong - if so, please don't hesitate to correct me and explain what happens in such situation: Let's say that a router is configured (with ACLs) to deny packets from 255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP unreachable", doesn't it? These ICMP packets try to travel to... 255.255.255.255! Would'n it cause a multiplying? I know that a router/firewall may be configured to _not_ send "ICMP unreachables" but default is to send them.
The default behaviour for filtering must be to DROP the packets. This is standard in all known firewalls and should be considered common knowledge. Some call this stealth mode. Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) David Gillett (Feb 02)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Joel Tyson (Feb 03)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Valdis . Kletnieks (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Christian Vogel (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Meritt James (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) James Kelly (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)