I saw these packets as well, 814 of them over a 24 hour period starting
on the 29th. The inbound ACL on the Cisco stopped them.
Jan 30 11:27:36 cahe-prosser 4951: 1w6d: %SEC-6-IPACCESSLOGP: list 165
denied tcp 255.255.255.255(80) -> aaa.www.xxx.yyy(27127), 1 packet
You are right that they do not make sense. They hit the entire range of
IP's in a fairly random order and random ports. The old smurf style
attacks used to take this form but targeted specific ports such as 19.
Guy
On Fri, 31 Jan 2003, Peter Triller wrote:
> >I am seeing a lot of sync/ack packets from port 80 to non-existent
> >addresses on my networks. Somebody is spoofing source addresses to
> >attack hosts, we are just innocent victims. When will ISPs learn that
> >they should filter their customer's packets to prevent spoofing? I am
> > even seeing syn/ack packets from 255.255.255.255:80!
>
> I cant see much reason in such packets, since they wont give any feedback.
> sport 80 is obviously to bypass some firewalls.
> But if he doesnt get feedback only 2 reasons pop into mind:
> - an attack similar to the worm , but the random ports don't make sense then
> - a very badly configured and/or broken piece of software/hadware.
>
>
>
> Peter
>
>
> ------------------------------------------------------------------------
----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
I saw these packets as well, 814 of them over a 24 hour period starting
on the 29th. The inbound ACL on the Cisco stopped them.
Jan 30 11:27:36 cahe-prosser 4951: 1w6d: %SEC-6-IPACCESSLOGP: list 165
denied tcp 255.255.255.255(80) -> aaa.www.xxx.yyy(27127), 1 packet
You are right that they do not make sense. They hit the entire range of
IP's in a fairly random order and random ports. The old smurf style
attacks used to take this form but targeted specific ports such as 19.
Guy
On Fri, 31 Jan 2003, Peter Triller wrote:
> >I am seeing a lot of sync/ack packets from port 80 to non-existent
> >addresses on my networks. Somebody is spoofing source addresses to
> >attack hosts, we are just innocent victims. When will ISPs learn that
> >they should filter their customer's packets to prevent spoofing? I am
> > even seeing syn/ack packets from 255.255.255.255:80!
>
> I cant see much reason in such packets, since they wont give any feedback.
> sport 80 is obviously to bypass some firewalls.
> But if he doesnt get feedback only 2 reasons pop into mind:
> - an attack similar to the worm , but the random ports don't make sense then
> - a very badly configured and/or broken piece of software/hadware.
>
>
>
> Peter
>
>
> ------------------------------------------------------------------------
----
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]