Re: Packet from port 80 with spoofed microsoft.com ip

[H C <keydet89 () yahoo com>]

How does an ACK packet constitute an "attack"?

Did you run netstat on your system to view the states
of connections on that system?

How did you determine that the packet had been
spoofed?

--- Michael Rowe <mrowe () mojain com> wrote:
> Hi,
>
> I received a packet on my cable modem today,
> allegedly from
> microsoft.com: 
>
> 18:41:35.663374 207.46.249.190.80 >
> my.cable.modem.ip.1681: S866282571:866282571(0) ack
> 268566529 win 16384 <mss 1460>
>
> $ host 207.46.249.190   
> Name: www.domestic.microsoft.com
> Address: 207.46.249.190
> Aliases: microsoft.com microsoft.net
> www.us.microsoft.com
>
> No one was home at this time, and no computer
> running windows was
> active, so I'm pretty sure this was not legit
> traffic (unless it was a
> *very* delayed ack from a microsoft server, like > 6
> hours. I guess
> this is conceivable, given their current, er, issues
> :).
>
> Is this some sort of known "attack"? Or just random
> weiredness?
>
> Cheers,
>
> -- 
> Michael Rowe <mrowe () mojain com>
>
> IM  - mrowe () jabber org                Prof - ACM,
> IEEE, Computer Soc.
> Web - http://www.mojain.com/          Vice - Barley
> malt, brewed or
> Key - http://mojain.com/keys/mrowe.asc      
> distilled (hold the ice)
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com