Security Incidents mailing list archives

Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

From: "Anders Reed Mohn" <anders_rm () utepils com>
Date: Tue, 17 Jun 2003 12:28:43 +0200

Forgive me if this just ends up in a stupid question, but
having watched this thread for a while now, it strikes me 
as odd that noone has been able to trace the origin of any 
of these packets yet.
These packets are now widely known (and have been 
discussed on other lists, in the news etc, as well), and there 
are quite a few network admins aware of this.

Is it not possible for a few to get together and track down at 
least _one_ source computer?

It seems to me that you are all putting a awful lot of effort in logging
and tracking and making statistics.
This is of course a good thing, but if we want to figure this thing out,
there's more that need to be done.

I know.. spoofed addresses.. but that
does not mean we cannot trace packets to a certain extent.
A shitty job, but unfortunately the only way of going about this, if
we want to track it down for real.
Also, it seems from some posters that not all sources are spoofed.

Are you guys talking to your ISP's about this? I am sure the average
ISP has at least one techhead that would be interested in digging a little
in this, and I am guessing that several ISPs read this list as well.
I'm not currently working as a network admin, so I'm not in a position
to do much hunting in logs myself, unfortunately.
 
So, what's happenin' dudes? Can we mount a common effort to track 
this down?
Any ISP techs reading this, who sees these packets coming out from their
networks? Do you contact the "offenders"?

Cheers,
Anders :)

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Ken Eichman (Jun 12)
- Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Fabio Panigatti (Jun 13)
  - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Mike (Jun 16)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Anders Reed Mohn (Jun 17)
    - RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Jim Butterworth (Jun 18)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Michael H. Warfield (Jun 18)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) exon (Jun 18)