Sounds to me like an unintentional spoof. Some newbie has misconfigured
their IP address and has set their machine up as being in your address
space. They are probably wondering why their access doesn't work.
Alternatively, a DHCP server is similarly misconfigured, which would allow
for a range of addresses.
Kevin Murphy
Los Angeles
------------------------------
>
> Date: Mon, 3 May 1999 15:20:04 -0700
> From: [EMAIL PROTECTED] (David Gillett)
> Subject: Re: SYN/ACK to nonexistent addresses?
>
> On 3 May 99, at 17:29, batz wrote:
>
> > On Mon, 3 May 1999, W.C. (Jay) Epperson wrote:
> >
> > :For several days, we've seen SYN/ACK packets directed to unused
addresses
> > :within our address space. TCP source port is often a well-known port
like
> > :Telnet, Http, etc. Destination port is generally above 1024, and is
mostly
> > :either 1974 or 1829. At first, the packets were all coming from a
single
> > :network. We suspected that we were the spoofed side of a SYN flood
attack
> > :and notified the other network contact. Later, the traffic from that
> > :network stopped, and we now see the traffic coming in from a variety of
> > :outside networks.
> > :
> > :The volume is too low to cause us DOS problems, but we're scratching
our
> > :heads as to what this is about. Any clues?
> >
> > Your guess about being a spoofed source is a good one as it's possible
> > that the perp is just scanning other networks now.
> >
> > There are some more esoteric possibilities, but that sounds about
> > right.
>
> We saw some traffic a bit like this for a while. Our guess was that
when
> one of our hosts contacted that site, we were sometimes -- up to
half-a-dozen
> times a day -- being sent back a copy of the last packet they'd sent to
> someone else. They claimed to be having problems with some piece of
> equipment, and to be taking it up with the vendor, and eventually the
traffic
> stopped.
>
> [We did not, however, notice the consistent source port numbers which
you
> report....]
>
>
> David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
