Security Incidents mailing list archives
Re: Packet from port 80 with spoofed microsoft.com ip
From: H C <keydet89 () yahoo com>
Date: Wed, 29 Jan 2003 12:01:42 -0800 (PST)
How does an ACK packet constitute an "attack"? Did you run netstat on your system to view the states of connections on that system? How did you determine that the packet had been spoofed? --- Michael Rowe <mrowe () mojain com> wrote:
Hi, I received a packet on my cable modem today, allegedly from microsoft.com: 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460> $ host 207.46.249.190 Name: www.domestic.microsoft.com Address: 207.46.249.190 Aliases: microsoft.com microsoft.net www.us.microsoft.com No one was home at this time, and no computer running windows was active, so I'm pretty sure this was not legit traffic (unless it was a *very* delayed ack from a microsoft server, like > 6 hours. I guess this is conceivable, given their current, er, issues :). Is this some sort of known "attack"? Or just random weiredness? Cheers, -- Michael Rowe <mrowe () mojain com> IM - mrowe () jabber org Prof - ACM, IEEE, Computer Soc. Web - http://www.mojain.com/ Vice - Barley malt, brewed or Key - http://mojain.com/keys/mrowe.asc distilled (hold the ice)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
- Message not available
- Message not available
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)