Security Incidents mailing list archives
Re: Packet from port 80 with spoofed microsoft.com ip
From: Keith Owens <kaos () ocs com au>
Date: Thu, 30 Jan 2003 14:31:36 +1100
On Wed, 29 Jan 2003 21:46:53 +1100, Michael Rowe <mrowe () mojain com> wrote:
I received a packet on my cable modem today, allegedly from microsoft.com: 18:41:35.663374 207.46.249.190.80 > my.cable.modem.ip.1681: S866282571:866282571(0) ack 268566529 win 16384 <mss 1460>
I am seeing a lot of sync/ack packets from port 80 to non-existent addresses on my networks. Somebody is spoofing source addresses to attack hosts, we are just innocent victims. When will ISPs learn that they should filter their customer's packets to prevent spoofing? I am even seeing syn/ack packets from 255.255.255.255:80! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Packet from port 80 with spoofed microsoft.com ip Michael Rowe (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Chris Wilkes (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Thiago Conde Figueiró (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Rich Puhek (Jan 30)
- Re: Packet from port 80 with spoofed microsoft.com ip H C (Jan 29)
- Re: Packet from port 80 with spoofed microsoft.com ip Keith Owens (Jan 30)
- Message not available
- Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip) Russell Fulton (Jan 31)
- Message not available
- Message not available
- <Possible follow-ups>
- RE: Packet from port 80 with spoofed microsoft.com ip NESTING, DAVID M (SBCSI) (Jan 29)