|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)
Date: Fri Jan 31 2003 - 15:11:13 EST
On Fri, 31 Jan 2003 at 3:01:49 +0100, Peter Triller wrote:
> >I am seeing a lot of sync/ack packets from port 80 to non-existent
I may be wrong - if so, please don't hesitate to correct me and explain what happens in such situation:
Let's say that a router is configured (with ACLs) to deny packets from
255.255.255.255 (that's why I noticed them). Then it sends back an "ICMP
unreachable", doesn't it?
These ICMP packets try to travel to... 255.255.255.255! Would'n it cause
a multiplying?
I know that a router/firewall may be configured to _not_ send "ICMP
unreachables" but default is to send them.
BTW, I seem to remember that _not_ sending "ICMP unreachables" is somehow against RFC... Of course security reasons for not sending them may be important (e.g. for hiding some network devices) but _formally_... it's a little not good :-) .
> sport 80 is obviously to bypass some firewalls.
Probably.
> But if he doesnt get feedback only 2 reasons pop into mind:
If my sentences above make some sense, could it be a DDoS founded on flood of ICMP unreachables?
> - a very badly configured and/or broken piece of software/hadware.
-- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek(at)lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.comReceived on Sun Feb 2 11:49:03 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:57 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |