nanog mailing list archives

Re: Gratuitous syn/ack

From: Randy <randy_94108 () yahoo com>
Date: Thu, 11 Nov 2010 20:16:04 -0800 (PST)

--- On Thu, 11/11/10, Joel Esler <joel.esler () me com> wrote:

From: Joel Esler <joel.esler () me com>
Subject: Re: Gratuitous syn/ack
To: "Pete Carah" <pete () altadena net>
Cc: "nanog () nanog org" <nanog () nanog org>
Date: Thursday, November 11, 2010, 5:03 PM
I am betting backscatter.  


Sent from my iPhone

On Nov 11, 2010, at 5:31 PM, Pete Carah <pete () altadena net>
wrote:

I'm seeing a significant number (about 1/minute 24

hr/day) of syn/ack

packets coming from port 80 of random addresses to

random ports on my

nameserver and a few other systems.  This isn't

enough traffic to be

really annoying, but is curious.

I wonder if the simple explanation (backscatter from

syn floods with

spoofed source addresses) is more likely, or if there

are some probing

techniques in "normal" use that use these packets (one

could accomplish

a traceroute using port 80 packets in either

direction...)


-- Pete




...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back.
./Randy

Current thread:

Gratuitous syn/ack Pete Carah (Nov 11)
- Re: Gratuitous syn/ack Joel Esler (Nov 11)
  - Re: Gratuitous syn/ack Randy (Nov 11)