[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

To: <incidents@xxxxxxxxxxxxxxxxx>, "Tomasz Papszun" <tomek-incid@xxxxxxxxxxxx>
Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
From: "Chris" <christian.ritter@xxxxxxxxxxxxxxxx>
Date: Fri, 20 Dec 2002 21:53:16 +0100
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Delivery-date: Fri, 31 Jan 2003 21:01:28 +0100
Envelope-to: incidents@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20030129104653.GA21157@xxxxxxxxxx> <14021.1043897496@xxxxxxxxxxxxxxxxxxxxxx> <20030130180351.GZ14273@xxxxxxxxxxxx>

The Same at my network here in germany.
Has anybody an idea?

Regards Chris


----- Original Message -----
From: "Tomasz Papszun" <tomek-incid@xxxxxxxxxxxx>
To: <incidents@xxxxxxxxxxxxxxxxx>
Sent: Thursday, January 30, 2003 7:03 PM
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with
spoofed microsoft.com ip)


> On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> > On Wed, 29 Jan 2003 21:46:53 +1100,
> > Michael Rowe <mrowe@xxxxxxxxxx> wrote:
> > >I received a packet on my cable modem today, allegedly from
> > >microsoft.com:
> > >
> > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
> >
> > I am seeing a lot of sync/ack packets from port 80 to non-existent
> > addresses on my networks.  Somebody is spoofing source addresses to
> > attack hosts, we are just innocent victims.  When will ISPs learn that
> > they should filter their customer's packets to prevent spoofing?  I am
> > even seeing syn/ack packets from 255.255.255.255:80!
> >
>
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
>
> --
>  Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
>  tomek@xxxxxxxxxxxx   http://www.lodz.tpsa.pl/   | ones and zeros.
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Prev by Date: What constitutes authorized server access? - was Re: RPAT - Realtime Proxy Abuse Triangulation
Previous by thread: MS IIS 5 server is hacked leaving undeletable folders and files
Index(es):
- Date
- Thread