Snort mailing list archives
Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning?
From: "Richard Bejtlich" <taosecurity () gmail com>
Date: Fri, 25 May 2007 21:46:54 -0400
Michael Scheidell wrote:
Any idea what they are doing? Trying to portscan? Looking for some vulnerability with 'dest port' 0?
05/25-09:22:49 TCP 121.35.241.129:8000 --> xxx.xxx.xxx.xxx :0 [1:524:8] BAD-TRAFFIC tcp port 0 traffic [Classification: Misc activity] [Priority: 3] #(2 - 738314) [2007-05-25 07:43:37] [snort/524] BAD-TRAFFIC tcp port 0 traffic IPv4: 121.35.241.129 -> xxx.xxx.xxx.xxx hlen=5 TOS=0 dlen=40 ID=51608 flags=0 offset=0 TTL=238 chksum=35950 TCP: port=80 -> dport: 0 flags=***A*R** seq=0 ack=759384068 off=5 res=0 win=0 urp=0 chksum=50032 Payload: none
Michael, It's "backscatter." An unknown third party is spoofing xxx.xxx.xxx.xxx and SYN flooding port 80 TCP on 121.35.241.129. 121.35.241.129 is the real victim. 2000 paper: http://www.taosecurity.com/nid_3pe_v101.pdf 1999 paper: http://www.taosecurity.com/intv2-8.html There's nothing to worry about. Sincerely, Richard ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Michael Scheidell (May 25)
- <Possible follow-ups>
- Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Richard Bejtlich (May 25)
- Re: not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning? Michael Scheidell (May 25)