nanog mailing list archives
Re: Gratuitous syn/ack
From: Randy <randy_94108 () yahoo com>
Date: Thu, 11 Nov 2010 20:16:04 -0800 (PST)
--- On Thu, 11/11/10, Joel Esler <joel.esler () me com> wrote:
From: Joel Esler <joel.esler () me com> Subject: Re: Gratuitous syn/ack To: "Pete Carah" <pete () altadena net> Cc: "nanog () nanog org" <nanog () nanog org> Date: Thursday, November 11, 2010, 5:03 PM I am betting backscatter. Sent from my iPhone On Nov 11, 2010, at 5:31 PM, Pete Carah <pete () altadena net> wrote:I'm seeing a significant number (about 1/minute 24hr/day) of syn/ackpackets coming from port 80 of random addresses torandom ports on mynameserver and a few other systems. This isn'tenough traffic to bereally annoying, but is curious. I wonder if the simple explanation (backscatter fromsyn floods withspoofed source addresses) is more likely, or if thereare some probingtechniques in "normal" use that use these packets (onecould accomplisha traceroute using port 80 packets in eitherdirection...)-- Pete
...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back. ./Randy
Current thread:
- Gratuitous syn/ack Pete Carah (Nov 11)
- Re: Gratuitous syn/ack Joel Esler (Nov 11)
- Re: Gratuitous syn/ack Randy (Nov 11)
- Re: Gratuitous syn/ack Joel Esler (Nov 11)