On Mon, 3 May 1999, W.C. (Jay) Epperson wrote:
:For several days, we've seen SYN/ACK packets directed to unused addresses
:within our address space. TCP source port is often a well-known port like
:Telnet, Http, etc. Destination port is generally above 1024, and is mostly
:either 1974 or 1829. At first, the packets were all coming from a single
:network. We suspected that we were the spoofed side of a SYN flood attack
:and notified the other network contact. Later, the traffic from that
:network stopped, and we now see the traffic coming in from a variety of
:outside networks.
:
:The volume is too low to cause us DOS problems, but we're scratching our
:heads as to what this is about. Any clues?
Your guess about being a spoofed source is a good one as it's possible
that the perp is just scanning other networks now.
There are some more esoteric possibilities, but that sounds about
right.
--
batz
Chief Reverse Engineer
Superficial Intelligence Research Division
Defective Technologies
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
