Security Incidents mailing list archives
Re: Strange & Consistent RST/ACK packets
From: bejtlich () TEXAS NET (Richard Bejtlich)
Date: Tue, 11 Apr 2000 11:08:54 -0000
Hello, I haven't identified the code which produces SYN 674719801 packets, although I do believe you're seeing collateral damage from an unknown third party SYN flooding other sites while spoofing your network's IPs. Examples can be found here in two .ppt and .rtf files: http://bejtlich.home.texas.net/ I've seen the same sort of activity with SYN ACK and RST ACK 674711610, which may have been generated by at least one tool (shaft), sending SYN 674711609 packets. For more info, see the arachNIDS database at www.whitehats.com, or more specifically: http://dev.whitehats.com/cgi/test/new.pl/Show? _id=ids253&sort=DEFAULT&search=674711609 Richard -- At one of my customer sites, I keep seeing uninitated RST/ACK packets with an acknowledgement number of 674719802. Or is this just a scanning tool that looks for ICMP unreachables from my customer's border router?
Current thread:
- NIPC Worm/Virus Alert Elias Levy (Apr 02)
- Smurf/broadcast "pings" Dennis DeDonatis (Apr 05)
- Re: Smurf/broadcast "pings" UnixGeek (Apr 06)
- Another day, another box hacked Jakub Urbanec (Apr 07)
- Lots of scans on port 27063 Erick Perez (Apr 08)
- Re: Lots of scans on port 27063 Blake Frantz (Apr 10)
- Re: Lots of scans on port 27063 James Stevenson (Apr 12)
- Strange & Consistent RST/ACK packets Security Guru (Apr 08)
- fragment attack of some kind ? Klavs Klavsen (Apr 11)
- Re: fragment attack of some kind ? Heiko Degenhardt (Apr 17)
- Re: Strange & Consistent RST/ACK packets Richard Bejtlich (Apr 11)
- Re: Strange & Consistent RST/ACK packets Dave Dittrich (Apr 11)
- Smurf/broadcast "pings" Dennis DeDonatis (Apr 05)