Hosting Provided By

Re: Packet from port 80 with spoofed microsoft.com ip

From: Kurt Seifried <bt(at)seifried.org>
Date: Thu Jan 30 2003 - 14:34:56 EST

It's great to see a high level of professionalism here. Seeral explanations come to mind:

One of Microsoft's broken load balancers is back at work. These things were infamous for sending packets hours and even days after you ran windowsupdate.

You did create an outgoing connection, but you weren't at home? How can this be. Perhaps you sent or received email. Or someone spoofed your IP address while attacking Microsoft. Or someone spoofed Microsoft. Or it's a badly configured nmap attempt.

Seriously, who cares, it's an ACK packet. If I complained about every spurious "attack" my systems recieved, with only 10 seconds needed to fully respond to each attack (investigate, research, prepare a summary and email it to the right people) I'd have to hire a small army of Rhesus monkeys, as well as 4 guys to clean out their cages.

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 31 12:35:47 2003

This message: [ Message body ]
Next message: Peter Snell: "klez variant??"
Previous message: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Michael Rowe: "Re: Packet from port 80 with spoofed microsoft.com ip"
Next in thread: Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT