On Thu, 4 Feb 1999, W.C. (Jay) Epperson wrote:
:For about the past month, we've logged occasional TCP packets
:with a source address of 255.255.255.255 on our private network
:backbone. We have not managed to sniff a non-routed packet,
:so we can't identify the source by its MAC address yet.
:
:Can anyone shed any light on what these might be? Generally
:the source port is random non-privileged (>1023) and the
:dest port is 25342, although a few of these have had dest
:port 80. There were also a few with source port 80 and
:dest 50561, 50562, 63331, or 63332. The few captured
:packets all had RST set and empty payload. Destination
:address is always on an outside network.
A source of 255.255.255.255 could cause a packet storm on your network.
If you are seeing consistant source ports, at different times,
they could be using something like queso or nmap to probe your network.
The RST flag being set probably means that someone is attempting to
get OS fingerprints from your hosts. What's interesting is that
these packets don't have a way to get back to their originator, unless
the origin is within the scope of the broadcast response of your network,
i.e local.
Hope this helped,
-j
--
jamie.reid
Chief Reverse Engineer
Superficial Intelligence Research Division
Defective Technologies
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
