The Same at my network here in germany.
Has anybody an idea?
Regards Chris
----- Original Message -----
From: "Tomasz Papszun" <tomek-incid (at) lodz.tpsa (dot) pl [email concealed]>
To: <incidents (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, January 30, 2003 7:03 PM
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with
spoofed microsoft.com ip)
> On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> > On Wed, 29 Jan 2003 21:46:53 +1100,
> > Michael Rowe <mrowe (at) mojain (dot) com [email concealed]> wrote:
> > >I received a packet on my cable modem today, allegedly from
> > >microsoft.com:
> > >
> > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
> >
> > I am seeing a lot of sync/ack packets from port 80 to non-existent
> > addresses on my networks. Somebody is spoofing source addresses to
> > attack hosts, we are just innocent victims. When will ISPs learn that
> > they should filter their customer's packets to prevent spoofing? I am
> > even seeing syn/ack packets from 255.255.255.255:80!
> >
>
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
>
> --
> Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
> tomek (at) lodz.tpsa (dot) pl [email concealed] http://www.lodz.tpsa.pl/ | ones and zeros.
>
> ------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Has anybody an idea?
Regards Chris
----- Original Message -----
From: "Tomasz Papszun" <tomek-incid (at) lodz.tpsa (dot) pl [email concealed]>
To: <incidents (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, January 30, 2003 7:03 PM
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with
spoofed microsoft.com ip)
> On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> > On Wed, 29 Jan 2003 21:46:53 +1100,
> > Michael Rowe <mrowe (at) mojain (dot) com [email concealed]> wrote:
> > >I received a packet on my cable modem today, allegedly from
> > >microsoft.com:
> > >
> > >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
> >
> > I am seeing a lot of sync/ack packets from port 80 to non-existent
> > addresses on my networks. Somebody is spoofing source addresses to
> > attack hosts, we are just innocent victims. When will ISPs learn that
> > they should filter their customer's packets to prevent spoofing? I am
> > even seeing syn/ack packets from 255.255.255.255:80!
> >
>
> Similarly at my networks.
> Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such
> packets started to come into my networks.
>
> All are TCP, from 255.255.255.255(80), destined to various random
> addresses (even not used) to various port numbers.
>
> This appearance is very noticeable. Before yesterday, single packets
> from 255.255.255.255 were coming in rate about one for three weeks.
> Since yesterday there have been about 1680 for 22 hours.
>
> --
> Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
> tomek (at) lodz.tpsa (dot) pl [email concealed] http://www.lodz.tpsa.pl/ | ones and zeros.
>
> ------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]