Security Incidents mailing list archives
Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: "Peter Triller" <ptriller () xebec de>
Date: Fri, 31 Jan 2003 03:01:49 +0100
I am seeing a lot of sync/ack packets from port 80 to non-existent addresses on my networks. Somebody is spoofing source addresses to attack hosts, we are just innocent victims. When will ISPs learn that they should filter their customer's packets to prevent spoofing? I am even seeing syn/ack packets from 255.255.255.255:80!
I cant see much reason in such packets, since they wont give any feedback. sport 80 is obviously to bypass some firewalls. But if he doesnt get feedback only 2 reasons pop into mind: - an attack similar to the worm , but the random ports don't make sense then - a very badly configured and/or broken piece of software/hadware. Peter ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
- Message not available
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Peter Triller (Jan 31)
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)