[Dshield] Weird scanning, weird ports, weird TCP flags..

Tom Liston tliston at premmag.com
Wed Oct 22 14:09:38 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It sounds like you're seeing is what is known as "back-scatter."

This is caused when someone attacks a machine on the internet using your 
IP address as a source on a spoofed packet.  Normally this is part of a 
denial of service attack.  The attacked machine is responding back to your 
IP address with a SYN-ACK or RST-ACK in response to a spoofed inbound SYN.

- -TL

On 22 Oct 2003 at 16:20, Dale Clapperton (lists) wrote:

- ---- >8 ---- Snip! 
> It's coming from two addresses in the one /24, of a hosting provider in 
> the  states.  Based on the SMTP banner on one of them, at least one 
> is a Windows machine.  The source port is always port 80.
> 
> The destination IPs are random addresses within our network, most of
> which are unused.  The destination ports seem random but in the range
> (approx) of 1000-5000.
> 
> The flow records show that the packets have either the SYN and ACK flags
> set, or RST and ACK.
- ---- >8 ---- Snip! 
> Does anyone have an idea what this could be??
- ---- >8 ---- Snip! 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt

iQA/AwUBP5aPo6Oq/X4cwCZKEQLqzQCfcqoPV8BEcdvFMjusadu+ZyWJMcoAoNxt
oe/Cbhj6bWidQ8QSbKxQArTQ
=DCv5
-----END PGP SIGNATURE-----




More information about the list mailing list