[Dshield] Weird scanning, weird ports, weird TCP flags..
Jon R. Kibler
Jon.Kibler at aset.com
Thu Oct 23 16:20:33 GMT 2003
Tom Liston wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> It sounds like you're seeing is what is known as "back-scatter."
> This is caused when someone attacks a machine on the internet using your
> IP address as a source on a spoofed packet. Normally this is part of a
> denial of service attack. The attacked machine is responding back to your
> IP address with a SYN-ACK or RST-ACK in response to a spoofed inbound SYN.
> - -TL
We too have been seeing a lot of apparent scanning on 'strange' TCP and UDP ports (ports > 32k) and thought that it was backscatter. However, upon closer analysis, most of these garbage packets are coming from bogus IPs (private address space and ranges like: 0/8, 1/8, 126/8, etc.) and we are only seeing a few per port.
The amount of the garbage traffic has grown in the past week or two from one or two a day ports per day (fairly constant for the past few years) to now we are seeing dozens or more a day. A few are from legit IPs and are probably backscatter -- but anyone have any ideas about the rest coming from bogus IPs?
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list