Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Munged Napster Sessions

From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Fri, 17 Mar 2000 05:19:22 +0700

"Stephen P. Berry" wrote:

Notably, the traffic of interest includes various bogus TCP flag
combinations (everything from SYN-FIN packets to full Xmas packets),
bogus TCP flags, and tiny fragments.

In absence of the established napster session, the anomalous traffic would
look powerfully like some sort of TCP fingerprinting attempt to
me.


A silly question: is any of sites involved located at *.demon.co.uk, by
any chance?

I think that quite many people these days are seeing false alarms caused
by traffic which comes from demon. Demon blames it on "network
equipment". For example, a guy (using demon.co.uk) is browsing my
website, and during that session, a packet is sent to random high port
(like 3xxxx). Packets are really strange; sometimes they have all bits
set, sometimes not.

I just got used to that :)

--

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time
Previous By Date Next
Previous By Thread Next

Current thread: