Re: Packet from port 80 with spoofed microsoft.com ip

[Thiago Conde Figueiró <thiago.figueiro () ciphertech com br>]

On Wed, 29 Jan 2003 21:46:53 +1100
Michael Rowe <mrowe () mojain com> wrote:

MR> I received a packet on my cable modem today, allegedly from
MR> microsoft.com:
(snip)

MR> $ host 207.46.249.190
MR> Name: www.domestic.microsoft.com
MR> Address: 207.46.249.190
MR> Aliases: microsoft.com microsoft.net www.us.microsoft.com

        One should not trust reverse DNS for identification.  The
administrator for 249.46.207.in-addr.arpa could spoof that response.

        I'm not saying the packet didn't come from there, as I didn't bother
checking.  But that verification should be done with the proper
authority (whois @internic.net, perhaps?).

MR> Is this some sort of known "attack"? Or just random weiredness?

        I see no known pattern, but that could be explained, as you said, by
several random activities.  For example, someone could have spoofed a
SYN with your IP as source.  Let's see what other people have to say. :)


Regards,

-- 
Thiago Figueiró
Infraestrutura
Cipher Technology
www.ciphertech.com.br
_______________________________________________
"Segurança em TI - Uma especialidade Cipher Technology"

disclaimer: the opinions in this message are my own and do not represent
my employer's view.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com