[Dshield] Weird scanning, weird ports, weird TCP flags..

Tom Liston tliston at premmag.com
Wed Oct 22 14:09:38 GMT 2003

Hash: SHA1

It sounds like you're seeing is what is known as "back-scatter."

This is caused when someone attacks a machine on the internet using your 
IP address as a source on a spoofed packet.  Normally this is part of a 
denial of service attack.  The attacked machine is responding back to your 
IP address with a SYN-ACK or RST-ACK in response to a spoofed inbound SYN.

- -TL

On 22 Oct 2003 at 16:20, Dale Clapperton (lists) wrote:

- ---- >8 ---- Snip! 
> It's coming from two addresses in the one /24, of a hosting provider in 
> the  states.  Based on the SMTP banner on one of them, at least one 
> is a Windows machine.  The source port is always port 80.
> The destination IPs are random addresses within our network, most of
> which are unused.  The destination ports seem random but in the range
> (approx) of 1000-5000.
> The flow records show that the packets have either the SYN and ACK flags
> set, or RST and ACK.
- ---- >8 ---- Snip! 
> Does anyone have an idea what this could be??
- ---- >8 ---- Snip! 

Version: PGP 8.0 -- QDPGP 2.70 
Comment: Public key - http://www.hackbusters.net/pgp.txt


More information about the list mailing list