Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 010526.html (Request Expert securityfocus.com Support)

RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: David Gillett <gillettdavid(at)fhda.edu>
Date: Fri Jan 31 2003 - 14:55:46 EST

  1. It seems to me that packets with that destination address are going to be routable to your network from only a small number of nearby networks -- probably only the local network itself.

Conclusion: The random source addresses are spoofed.

Test: Look at the source MAC addresses. If these are all the MAC address of your gateway router's interface, then someone has found a way to route into your network (or the MAC address is *also* being spoofed...). Otherwise, that should have good odds of leading you to the internal machine that is spewing these.

2. You haven't said whether these were TCP or UDP, but since TCP to a broadcast address can't possibly hope to ever establish a connection, either the person behind this doesn't understand how it works (improving the odds that the MAC address isn't spoofed...), or the packets must be self-contained attacks (more likely with UDP, although I don't know why anything would ever be listening on UDP port 80....

David Gillett

> -----Original Message-----
> From: greg@optionsinternet.com [mailto:greg@optionsinternet.com]
> Sent: January 30, 2003 13:29
> To: incidents@securityfocus.com


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Feb 2 11:24:45 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:57 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library