Re: Address space abuse?

Sat, 23 Jan 1999 21:05:39 -0500 

On Sun, 24 Jan 1999, Stephen Davies wrote:

> Hello.
> 
> I log all network traffic through my net  and have noticed 
> regular attempts to access two unused addresses in that space.
> 
> They do not look like cracker attacks as I usually only see one or two packets 
> from each source address scattered over quite long periods and there is a wide
> range of source addresses.
> 
> The log entries look like this (all sorts of from address but always .49 and 
> .177 destination):
> 
> 19:55:41.289553 209.235.34.151.19481 > 203.2.199.49.1711: R 0:0(0) ack 674719802 win >0
> 20:07:45.119568 209.235.34.151.19481 > 203.2.199.177.2075: R 0:0(0) ack 674719802 
>win 0

209.235.34.151 is being attacked/probed/scanned what have you, and someone
is forging or 203.2.199.49 and 203.2.199.177 as source addresses...

this could be part of a SYN attack, it could be an nmap scan using these
addresses as decoys, it could be almost anything...

Hhmm, no, it's not a SYN attack, as those would be SYN+ACK not Reset
packets coming back... 

and non-existant addresses would NOT be my choice of decoys for an nmap
type scan... I dunno... will be curious to see what the list thinks,
hopefully I've added full to the fire...

> 
> I have asked a couple of the people involved but without success.
> 
> Any ideas as to what might be happening?
> 
> Cheers and thanks,
> Stephen Davies
> 
> 
> ========================================================================
> Stephen Davies Consulting                                                 
>[EMAIL PROTECTED]
> Adelaide, South Australia.                                                        
>Voice: 61-8-82728863
> Computing & Network solutions.                                            Fax: 
>61-8-82741015
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
> 

----------------------------------------------------------------------
[EMAIL PROTECTED]   | Always bear in mind that your own resolution to
http://BareMetal.com/  | success is more important than any other one
web hosting since '95  | thing. - Abraham Lincoln

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to