Security Incidents mailing list archives

Re: Packet from port 80 with spoofed microsoft.com ip

From: Keith Owens <kaos () ocs com au>
Date: Thu, 30 Jan 2003 14:31:36 +1100

On Wed, 29 Jan 2003 21:46:53 +1100, 
Michael Rowe <mrowe () mojain com> wrote:

I received a packet on my cable modem today, allegedly from
microsoft.com: 

18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>


I am seeing a lot of sync/ack packets from port 80 to non-existent
addresses on my networks.  Somebody is spoofing source addresses to
attack hosts, we are just innocent victims.  When will ISPs learn that
they should filter their customer's packets to prevent spoofing?  I am
even seeing syn/ack packets from 255.255.255.255:80!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
  - Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
  - Message not available
    - Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
  - Message not available
    - Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Peter Triller (Jan 31)
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)