Security Incidents mailing list archives
Strange packets from Verisign Sitefinder
From: Ralf G <gue () alphatel de>
Date: 2 Oct 2003 11:53:49 -0000
Hi list I am seeing strange packets coming from Verisign's sitefinder in my firewall logs. It appears, that they are SYN-ACK packets sent to unused addresses in our registered address space. My theory is, that someone else has spoofed the source addresses in an initial http connection to Sitefinder, but the reply packets are then routed to the rightful owner of these addresses (us). Here is a sample package dump: 13:41:55.458798 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.56.1959: S 246336671:246336671(0) ack 1099366401 win 16384 (ttl 87, id 256) 13:41:55.941884 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.115.1178: S 154406256:154406256(0) ack 530055169 win 16384 (ttl 87, id 256) 13:41:56.081523 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.88.1709: S 17910271:17910271(0) ack 755564545 win 16384 (ttl 87, id 256) 13:41:56.814659 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.147.1696: S 72446775:72446775(0) ack 186253313 win 16384 (ttl 87, id 256) 13:41:57.324028 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.195.206.1915: S 327185891:327185891(0) ack 1764425729 win 16384 (ttl 87, id 256) These packets arrive here in vast numbers. Does anyone have any ideas what else could cause this and what I could do about it? So far, I don't see that I can do much about it Any ideas appreciated Ralf G. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange packets from Verisign Sitefinder Ralf G (Oct 02)
- Re: Strange packets from Verisign Sitefinder Raistlin (Oct 03)
- <Possible follow-ups>
- Re: Strange packets from Verisign Sitefinder Ralf G (Oct 06)
- Re: Strange packets from Verisign Sitefinder Valdis . Kletnieks (Oct 06)