RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Joel Tyson <jtyson(at)pa.eplus.com>
Date: Fri Jan 31 2003 - 14:38:38 EST

I was receiving those yesterday, but not many today. Has anyone been getting ICMP echo requests from strange addresses? This past week on a couple of my firewalls, I am getting a cluster of ICMP packets all sent at the same time from different ISP's. I doubt is a DDOS, one of the addresses is even NASA. Here is a sample:

2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 63.218.7.130 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.54.14 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.15.251.198 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.0.96.12 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.14.117.10 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.35.7.130 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.184.139.82 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.124.186.66 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 213.61.6.2 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.219.166 on interface 0
2003-01-30 08:37:52 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 66.28.255.130 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 63.218.7.130 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.54.14 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.0.96.12 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.14.117.10 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.184.139.82 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.35.7.130 on interface 0
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.124.186.66 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 213.61.6.2 on interface 0
2003-01-30 08:38:02 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.219.166 on interface 0
2003-01-30 08:38:03 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 66.28.255.130 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 63.218.7.130 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.54.14 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.15.251.198 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.0.96.12 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.14.117.10 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.184.139.82 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.124.186.66 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 64.35.7.130 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 213.61.6.2 on interface 0
2003-01-30 08:38:12 Local7.Error PIX2.ems.net Denied ICMP type=8, code=0 from 208.185.219.166 on interface 0

Thanks,
Joel
Network Security Analyst

-----Original Message-----
From: greg@optionsinternet.com [mailto:greg@optionsinternet.com] Sent: Thursday, January 30, 2003 4:29 PM To: incidents@securityfocus.com
Cc: hasan@hasan.org; tomek-incid@lodz.tpsa.pl Subject: RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

Today we have been receiving on average 380,000 requests an hour TO 255.255.255.255 FROM random IPs. I performed a reverse DNS query on a sample of 200 hosts, 2 of which came back with hostnames. A ping scan of the very same 200 hosts showed that only around 20 were *active*.

I contacted our ISP and was told that this traffic was "normal".

Has anyone else seen any similar requests?

Regards

Greg Bolshaw

Original Message:

---

From: Tomasz Papszun tomek-incid@lodz.tpsa.pl Date: Thu, 30 Jan 2003 19:03:51 +0100
To: incidents@securityfocus.com
Subject: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

On Thu, 30 Jan 2003 at 14:31:36 +1100, Keith Owens wrote:
> On Wed, 29 Jan 2003 21:46:53 +1100,
> Michael Rowe <mrowe@mojain.com> wrote:
> >I received a packet on my cable modem today, allegedly from
> >microsoft.com:
> >
> >18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681:
S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
>
> I am seeing a lot of sync/ack packets from port 80 to non-existent

Similarly at my networks.
Yesterday evening (Jan 29 21:10 GMT+1) a very noticeable stream of such packets started to come into my networks.

All are TCP, from 255.255.255.255(80), destined to various random addresses (even not used) to various port numbers.

This appearance is very noticeable. Before yesterday, single packets from 255.255.255.255 were coming in rate about one for three weeks. Since yesterday there have been about 1680 for 22 hours.

--
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 
tomek(at)lodz.tpsa.pl   
http://www.lodz.tpsa.pl/   | ones and zeros.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
Can we help you?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
For more information on this free incident handling, management
and tracking system please see: 
http://aris.securityfocus.com


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: 
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Sun Feb 2 11:25:31 2003