Hosting Provided By

Fwd: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)

From: Dave Laird <dlaird(at)kharma.net>
Date: Fri Jan 31 2003 - 15:57:00 EST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good morning, everyone...

Subject: Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
Date: 31 Jan 2003 12:45:29 +1300
From: Russell Fulton <r.fulton@auckland.ac.nz> To: Tomasz Papszun <tomek-incid@lodz.tpsa.pl> Cc: incidents@securityfocus.com

On Fri, 2003-01-31 at 07:03, Tomasz Papszun wrote:
> Similarly at my networks.

We are also seeing these, tcp flags are RST+ACK seq number and window size both zero and varying Ack and ttl. Not all addresses in our net are being hit, in one /24 I checked only two addresses have been probed.

While I do not claim that what I am about to suggest has any bearing on similar incidents taking place, yesterday and the day before I saw a huge number of these packets on a DSL-attached network.

Here is one sample: [pardon the line wrap]

Jan 30 07:14:54 home kernel: Bad packet rejected=eth1 OUT=

MAC=ff:ff:ff:ff:ff:ff:00:30:66:00:35:49:08:00 SRC=000.000.000.000
DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=47753 PROTO=TCP
SPT=28149 DPT=80 WINDOW=0 RES=0x00 RST URGP=0

Do you need help?

Some things I noticed right off:

The MAC addresses changed almost as if they were at will and even included ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff, which is really odd, since I don't believe it can do that. <no flames please, as I'm always learning>
All the packets targetted port 80
The address, for the most part (which is deleted from the sample) happens to be a server, and is broadcasting to the entire network, thus creating a substantial flood.

Someone told me this morning that this may be an unpatched XP workstation running MS-Access, which seemed pretty odd, too. However, then I read up on the MSDE and it does seem possible. Thoughts, anyone?

Dave
- --
Dave Laird (Dave@kharma.net)
The Used Kharma Lot / The Phoenix Project Web Page: http://www.kharma.net updated 01/20/2003 Year 2 of running Mandrake Linux workstation on a 100% Microsoft-free system.

An automatic & random thought For the Minute: Murphy's Law is recursive. Washing your car to make it rain doesn't work. -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+OuMdaE1ENZP1A28RAoRLAJ4uRr/hWC3gYo2hY1kgPxA4N4KgMgCfVJzk ZVc9EW7JBpNyZ+RKEAmRDr8=
=JMli
-----END PGP SIGNATURE-----

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Feb 2 11:33:09 2003

This message: [ Message body ]
Next message: Pat Wilson: "Re: Packet from port 80 with spoofed microsoft.com ip"
In reply to Joel Tyson: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:57 EDT