Hosting Provided By

RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Loki <loki(at)fatelabs.com>
Date: Thu Jan 30 2003 - 20:58:12 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's really sad. You would think if they aren't going to do any "advanced" filtering, they would at least filter broadcast packets from network ingress. I've even seen ISP's allowing RFC1918 addresses in *sigh*

ESH

Eric Hines
Chairman, CEO, President
Applied Watch Technologies
"Innovations in Threat Management Technology Through Web to Desktop Convergence"

- -----------------------------------------------------
[w] 
http://www.appliedwatch.com

[e] eric.hines@appliedwatch.com
[p] (412) 303-3115

- -----------------------------------------------------

[a] Applied Watch Technologies

149 Rossmor Court
Pittsburgh, PA. 15229

- -----------------------------------------------------

This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.

-----Original Message----- From: Tomasz Papszun [mailto:tomek-incid@lodz.tpsa.pl] Sent: Thursday, January 30, 2003 12:04 PM To: incidents@securityfocus.com Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> On Wed, 29 Jan 2003 21:46:53 +1100,

Similarly at my networks.
Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such packets started to come into my networks.

All are TCP, from 255.255.255.255(80), destined to various random addresses (even not used) to various port numbers.

Do you need help?

This appearance is very noticeable. Before yesterday, single packets from 255.255.255.255 were coming in rate about one for three weeks. Since yesterday there have been about 1680 for 22 hours.

-- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek(at)lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPjnXxorSwundLmFJEQI8SwCgosnRcBFAGXWKrBBJGVjDbcOa9hgAoJ8g 7wWDgEc9IdeTO0+g5T4M5wLW
=coF2
-----END PGP SIGNATURE-----

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 31 14:46:21 2003

This message: [ Message body ]
Next message: Stephen A. Santos: "RE: klez variant??"
Previous message: Gary Flynn: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to: Tomasz Papszun: "Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
In reply to Keith Owens: "Re: Packet from port 80 with spoofed microsoft.com ip"
Next in thread: Chris: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Reply: Chris: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT