Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Chinese HTTP ACKs

From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 9 Feb 2005 10:08:20 -0800
  I'm seeing a handful of addresses in the 61.143.210.0/23 space
periodically send 2-3 ACKs from port 80 to semi-random addresses
within our Class B space.  The TCP checksum on these packets is
incorrect.
  Note that these are ACK and not SYN-ACK, although no such session
appears to be underway.  Between that and the checksum error, I
believe that these are NOT responses to spoofed SYNs, but are
something else crafted on the Chinese hosts themselves.

  I describes the destination as "semi-random" in that the examples
I've captured have been directed at in-use addresses within thinly-
used portions of our address space.  A less random target selection 
would be expected to be hitting our main server ranges; a more random
selection would be expected to hit some unused addresses.  So I
*suspect* that some kind of discovery process may have been used.

  (In at least one case, the target lies within a sub-block that is 
is not supposed to exchange TCP packets with the Internet.  Unfortunately,
it's relying on a Cisco ACL "established" line for this, and of course
these naked ACKs sail right on past....
  Again, a reason to believe that these ACKs are not part of some
legitimate session already in progress.)

  Anybody else seeing similar?

David Gillett
Previous By Date Next
Previous By Thread Next

Current thread: