Security Incidents mailing list archives
Chinese HTTP ACKs
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 9 Feb 2005 10:08:20 -0800
I'm seeing a handful of addresses in the 61.143.210.0/23 space periodically send 2-3 ACKs from port 80 to semi-random addresses within our Class B space. The TCP checksum on these packets is incorrect. Note that these are ACK and not SYN-ACK, although no such session appears to be underway. Between that and the checksum error, I believe that these are NOT responses to spoofed SYNs, but are something else crafted on the Chinese hosts themselves. I describes the destination as "semi-random" in that the examples I've captured have been directed at in-use addresses within thinly- used portions of our address space. A less random target selection would be expected to be hitting our main server ranges; a more random selection would be expected to hit some unused addresses. So I *suspect* that some kind of discovery process may have been used. (In at least one case, the target lies within a sub-block that is is not supposed to exchange TCP packets with the Internet. Unfortunately, it's relying on a Cisco ACL "established" line for this, and of course these naked ACKs sail right on past.... Again, a reason to believe that these ACKs are not part of some legitimate session already in progress.) Anybody else seeing similar? David Gillett
Current thread:
- Re: SSH probe attack afoot?, (continued)
- Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Tim (Feb 08)
- Re: SSH probe attack afoot? Frank Knobbe (Feb 08)
- Re: SSH probe attack afoot? Matt Fisher (Feb 09)
- Re: SSH probe attack afoot? naverxp (Feb 08)
- Re: SSH probe attack afoot? Joe Egloff (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 09)
- Chinese HTTP ACKs David Gillett (Feb 09)
- Re: Chinese HTTP ACKs Frank Knobbe (Feb 09)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 08)