Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

[Geert Kiers <kweb () kweb on ca>]

Greetings:

First time contributor and not too well informed but hoping to add to the
understanding of the issue at hand.

I have been following this thread and its predecessor for the past few
days.  Having some time available, I elected to check one of my snort alert
logs for occurances of the address 255.255.255.255.  I found one.  Then I
checked prvoious recent logs and found not others.  Here is the one and
only one which snort recorded:

[**] ICMP Destination Unreachable (Undefined Code!) [**]
01/30-06:44:51.542691 211.172.208.11 -> a_KWeb_host_ip
ICMP TTL:39 TOS:0x0 ID:10599 IpLen:20 DgmLen:76
Type:3  Code:2  DESTINATION UNREACHABLE: PROTOCOL UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
a_KWeb_host_ip:29085 -> 255.255.255.255:80
TCP TTL:129 TOS:0x0 ID:13954 IpLen:20 DgmLen:40
******** Seq: 0x5AA00000  Ack: 0xD3ED  Win: 0xFFFF  TcpLen: 52
** END OF DUMP

The ip address of our host has been replaced with 'a_KWeb_host_ip'.
The host is a Win NT 4 server sp6a (if it matters?).  Since I have found
only one, I am assuming that our host ip was spoofed and because I have
snort logging everything it can, I happened to record this contribution.

It means very little to me, but I hope it may help your understanding.

Regards,

Geert

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com