Re: Packets from 255.255.255.255(80)

From: Guy Reisenauer <greisen(at)mail.prosser.wsu.edu>
Date: Sun Feb 02 2003 - 15:27:04 EST

I saw these packets as well, 814 of them over a 24 hour period starting on the 29th. The inbound ACL on the Cisco stopped them.

Jan 30 11:27:36 cahe-prosser 4951: 1w6d: %SEC-6-IPACCESSLOGP: list 165 denied tcp 255.255.255.255(80) -> aaa.www.xxx.yyy(27127), 1 packet

You are right that they do not make sense. They hit the entire range of IP's in a fairly random order and random ports. The old smurf style attacks used to take this form but targeted specific ports such as 19.

Guy

On Fri, 31 Jan 2003, Peter Triller wrote:

> >I am seeing a lot of sync/ack packets from port 80 to non-existent

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Feb 3 10:46:36 2003