Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning?

["Richard Bejtlich" <taosecurity () gmail com>]

Michael Scheidell wrote:

> Any idea what they are doing? Trying to portscan? Looking for some
> vulnerability with 'dest port' 0?

> 05/25-09:22:49 TCP 121.35.241.129:8000 -->  xxx.xxx.xxx.xxx :0
> [1:524:8] BAD-TRAFFIC tcp port 0 traffic
> [Classification: Misc activity] [Priority: 3]
>
>
> #(2 - 738314) [2007-05-25 07:43:37] [snort/524] BAD-TRAFFIC tcp port 0
> traffic IPv4: 121.35.241.129 -> xxx.xxx.xxx.xxx
> hlen=5 TOS=0 dlen=40 ID=51608 flags=0 offset=0 TTL=238 chksum=35950
> TCP: port=80 -> dport: 0 flags=***A*R** seq=0
> ack=759384068 off=5 res=0 win=0 urp=0 chksum=50032 Payload: none

Michael,

It's "backscatter."  An unknown third party is spoofing
xxx.xxx.xxx.xxx and SYN flooding port 80 TCP on 121.35.241.129.
121.35.241.129 is the real victim.

2000 paper:

http://www.taosecurity.com/nid_3pe_v101.pdf

1999 paper:

http://www.taosecurity.com/intv2-8.html

There's nothing to worry about.

Sincerely,

Richard

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users