Hosting Provided By

RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: <greg(at)optionsinternet.com>
Date: Thu Jan 30 2003 - 16:29:24 EST

Today we have been receiving on average 380,000 requests an hour TO 255.255.255.255 FROM random IPs. I performed a reverse DNS query on a sample of 200 hosts, 2 of which came back with hostnames. A ping scan of the very same 200 hosts showed that only around 20 were *active*.

I contacted our ISP and was told that this traffic was "normal".

Has anyone else seen any similar requests?

Regards

Greg Bolshaw

Original Message:

From: Tomasz Papszun tomek-incid@lodz.tpsa.pl Date: Thu, 30 Jan 2003 19:03:51 +0100
To: incidents@securityfocus.com
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> On Wed, 29 Jan 2003 21:46:53 +1100,
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
>
> I am seeing a lot of sync/ack packets from port 80 to non-existent

Do you need help?

All are TCP, from 255.255.255.255(80), destined to various random addresses (even not used) to various port numbers.

This appearance is very noticeable. Before yesterday, single packets from 255.255.255.255 were coming in rate about one for three weeks. Since yesterday there have been about 1680 for 22 hours.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 
tomek(at)lodz.tpsa.pl   
http://www.lodz.tpsa.pl/   | ones and zeros.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Fri Jan 31 14:24:46 2003

This message: [ Message body ]
Next message: Larsen, Colin: "RE: Packet from port 80 with spoofed microsoft.com ip"
Previous message: Peter Snell: "klez variant??"
Maybe in reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"
Next in thread: David Gillett: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: David Gillett: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Russell Fulton: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT