Hosting Provided By

Re: Ip spoof from 0.0.0.0

From: Crist J. Clark <crist.clark(at)attbi.com>
Date: Wed Nov 06 2002 - 02:14:23 EST

On Tue, Nov 05, 2002 at 12:15:05AM -0700, Mike Lewinski wrote:
> A few more data points:

Huh? We still talking about TCP SYN packets from 0.0.0.0 source address to 445/tcp? If the source address is 0.0.0.0, i.e. an address that a response (if the receiver is even broken enough to send a responce in the first place) can never get to, how can an "attacker" ever hope to deliver a payload? You can't finish the TCP handshake.

If this is a scanner or DoS attempt of some kind, the tool doing it is broken (*shock* broken k1dd13 t00lz?). There is no way it can do either.

These remind me of those,

255.255.255.255:31337 -> a.b.c.d:515

SYN packets you still see from time to time. More amusing than anything else. If anyone really knows what generates any of these, I'd love to know, but I'm not losing any sleep over it.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     
cjc(at)freebsd.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Wed Nov 6 12:33:41 2002

This message: [ Message body ]
Next message: Mike Lewinski: "Re: Ip spoof from 0.0.0.0"
Previous message: Frank Cheong: "Re: Ip spoof from 0.0.0.0"
In reply to Mike Lewinski: "Re: Ip spoof from 0.0.0.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT

Do you need help?