On 3 May 99, at 17:29, batz wrote:
> On Mon, 3 May 1999, W.C. (Jay) Epperson wrote:
>
> :For several days, we've seen SYN/ACK packets directed to unused addresses
> :within our address space. TCP source port is often a well-known port like
> :Telnet, Http, etc. Destination port is generally above 1024, and is mostly
> :either 1974 or 1829. At first, the packets were all coming from a single
> :network. We suspected that we were the spoofed side of a SYN flood attack
> :and notified the other network contact. Later, the traffic from that
> :network stopped, and we now see the traffic coming in from a variety of
> :outside networks.
> :
> :The volume is too low to cause us DOS problems, but we're scratching our
> :heads as to what this is about. Any clues?
>
> Your guess about being a spoofed source is a good one as it's possible
> that the perp is just scanning other networks now.
>
> There are some more esoteric possibilities, but that sounds about
> right.
We saw some traffic a bit like this for a while. Our guess was that when
one of our hosts contacted that site, we were sometimes -- up to half-a-dozen
times a day -- being sent back a copy of the last packet they'd sent to
someone else. They claimed to be having problems with some piece of
equipment, and to be taking it up with the vendor, and eventually the traffic
stopped.
[We did not, however, notice the consistent source port numbers which you
report....]
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
