Snort mailing list archives
Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning?
From: "CS Lee" <geek00l () gmail com>
Date: Sat, 26 May 2007 10:48:45 +0800
Hello Scheidell, This already tells - flags=***A*R** :) On 5/26/07, Richard Bejtlich <taosecurity () gmail com> wrote:
Michael Scheidell wrote: > Any idea what they are doing? Trying to portscan? Looking for some > vulnerability with 'dest port' 0? > 05/25-09:22:49 TCP 121.35.241.129:8000 --> xxx.xxx.xxx.xxx :0 > [1:524:8] BAD-TRAFFIC tcp port 0 traffic > [Classification: Misc activity] [Priority: 3] > > > #(2 - 738314) [2007-05-25 07:43:37] [snort/524] BAD-TRAFFIC tcp port 0 > traffic IPv4: 121.35.241.129 -> xxx.xxx.xxx.xxx > hlen=5 TOS=0 dlen=40 ID=51608 flags=0 offset=0 TTL=238 chksum=35950 > TCP: port=80 -> dport: 0 flags=***A*R** seq=0 > ack=759384068 off=5 res=0 win=0 urp=0 chksum=50032 Payload: none Michael, It's "backscatter." An unknown third party is spoofing xxx.xxx.xxx.xxx and SYN flooding port 80 TCP on 121.35.241.129. 121.35.241.129 is the real victim. 2000 paper: http://www.taosecurity.com/nid_3pe_v101.pdf 1999 paper: http://www.taosecurity.com/intv2-8.html There's nothing to worry about. Sincerely, Richard ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Best Regards, CS Lee<geekooL[at]gmail.com>
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Michael Scheidell (May 25)
- <Possible follow-ups>
- Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Richard Bejtlich (May 25)
- Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? CS Lee (May 25)
- Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Michael Scheidell (May 25)