Security Incidents mailing list archives

Re: Munged Napster Sessions

From: simond () IRRELEVANT ORG (simond () IRRELEVANT ORG)
Date: Fri, 17 Mar 2000 14:21:56 +0000


On Fri, Mar 17, 2000 at 05:19:22AM +0700, Vanja Hrustic wrote:

"Stephen P. Berry" wrote:

Notably, the traffic of interest includes various bogus TCP flag
combinations (everything from SYN-FIN packets to full Xmas packets),
bogus TCP flags, and tiny fragments.

In absence of the established napster session, the anomalous traffic would
look powerfully like some sort of TCP fingerprinting attempt to
me.


A silly question: is any of sites involved located at *.demon.co.uk, by
any chance?

I think that quite many people these days are seeing false alarms caused
by traffic which comes from demon. Demon blames it on "network
equipment". For example, a guy (using demon.co.uk) is browsing my
website, and during that session, a packet is sent to random high port
(like 3xxxx). Packets are really strange; sometimes they have all bits
set, sometimes not.

I just got used to that :)


As far as I know they fixed that last year, it was due to some problem
with their Ascend GRF's, I may be wrong though :)

--
Simon Dick                                      simond () irrelevant org

Current thread:

Re: Port 6112, (continued)
- - - Re: Port 6112 Stuart Staniford-Chen (Mar 20)
    - nbname scans Rick Tortorella (Mar 20)
    - Port 27960 Stuart Staniford-Chen (Mar 17)
    - Re: Port 27960 steve balla (Mar 20)
    - Re: Port 27960 Odd Arne Beck (Mar 20)
    - Re: Port 27960 David Groves (Mar 21)
    - Re: Port 27960 Sean Birkholz (Mar 25)
    - Followup Analysis of a Shaft DDoS Node and Master Richard Wash (Mar 28)
    - Re: Port 27960 steve balla (Mar 28)
    - Re: Port 27960 TJ Jablonowski (Mar 28)
    - Re: Munged Napster Sessions simond () IRRELEVANT ORG (Mar 17)
    - Re: Munged Napster Sessions Stuart Staniford-Chen (Mar 20)
    - Re: Munged Napster Sessions Murray, Mike (Mar 20)