Security Incidents mailing list archives
RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 31 Jan 2003 11:55:46 -0800
1. It seems to me that packets with that destination address are going to be routable to your network from only a small number of nearby networks -- probably only the local network itself. Conclusion: The random source addresses are spoofed. Test: Look at the source MAC addresses. If these are all the MAC address of your gateway router's interface, then someone has found a way to route into your network (or the MAC address is *also* being spoofed...). Otherwise, that should have good odds of leading you to the internal machine that is spewing these. 2. You haven't said whether these were TCP or UDP, but since TCP to a broadcast address can't possibly hope to ever establish a connection, either the person behind this doesn't understand how it works (improving the odds that the MAC address isn't spoofed...), or the packets must be self-contained attacks (more likely with UDP, although I don't know why anything would ever be listening on UDP port 80.... David Gillett
-----Original Message----- From: greg () optionsinternet com [mailto:greg () optionsinternet com] Sent: January 30, 2003 13:29 To: incidents () securityfocus com Cc: hasan () hasan org; tomek-incid () lodz tpsa pl Subject: RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Today we have been receiving on average 380,000 requests an hour TO 255.255.255.255 FROM random IPs. I performed a reverse DNS query on a sample of 200 hosts, 2 of which came back with hostnames. A ping scan of the very same 200 hosts showed that only around 20 were *active*. I contacted our ISP and was told that this traffic was "normal". Has anyone else seen any similar requests? Regards Greg Bolshaw Original Message: ----------------- From: Tomasz Papszun tomek-incid () lodz tpsa pl Date: Thu, 30 Jan 2003 19:03:51 +0100 To: incidents () securityfocus com Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:On Wed, 29 Jan 2003 21:46:53 +1100, Michael Rowe <mrowe () mojain com> wrote:I received a packet on my cable modem today, allegedly from microsoft.com: 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>I am seeing a lot of sync/ack packets from port 80 to non-existent addresses on my networks. Somebody is spoofing source addresses to attack hosts, we are just innocent victims. When will ISPslearn thatthey should filter their customer's packets to preventspoofing? I ameven seeing syn/ack packets from 255.255.255.255:80!Similarly at my networks. Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such packets started to come into my networks. All are TCP, from 255.255.255.255(80), destined to various random addresses (even not used) to various port numbers. This appearance is very noticeable. Before yesterday, single packets from 255.255.255.255 were coming in rate about one for three weeks. Since yesterday there have been about 1680 for 22 hours. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek () lodz tpsa pl http://www.lodz.tpsa.pl/ | ones and zeros. -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) David Gillett (Feb 02)
- <Possible follow-ups>
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Joel Tyson (Feb 03)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Valdis . Kletnieks (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Hugo van der Kooij (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Christian Vogel (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Meritt James (Feb 05)
- RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) James Kelly (Feb 05)
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Frederic Harster (Feb 05)