[Dshield] seemingly random (ACK+RST) packets from 64.164.160.154:80

j.travis skynet at psinode.com
Wed Mar 24 16:13:55 GMT 2004


I am getting these seemingly random ACK+RST packets from a particular
machine (64.164.160.154) from port 80 to my high ports (usually
1100-1600 or so) on a regular basis throughout the day.  There is not a
webserver running on the 64.164.160.154 machine and I  have carefully
monitored my own server to make sure that it is not sending
communications to 64.164.160.154.  The thing is that this machine
(adsl-64-164-160-154.dsl.lsan03.pacbell.net) belongs to my DSL provider
(pacbell.net/SBC) so I am thinking there must be a logical explanation
for this behavior. Anybody have any ideas?

Mar 23 12:48:10 psinode kernel: WATCH! :IN=eth0 OUT=
MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=39133 PROTO=TCP
SPT=80 DPT=1084 WINDOW=0 RES=0x00 ACK RST URGP=0

Mar 23 12:51:19 psinode kernel: WATCH! :IN=eth0 OUT=
MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=2513 PROTO=TCP
SPT=80 DPT=1315 WINDOW=0 RES=0x00 ACK RST URGP=0

Mar 23 12:59:14 psinode kernel: WATCH! :IN=eth0 OUT=
MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=10381 PROTO=TCP
SPT=80 DPT=1471 WINDOW=0 RES=0x00 ACK RST URGP=0

A tcpdump capture shows:

tcpdump -r tcp.dump host 64.164.160.154 -vv
16:05:00.953330 adsl-64-164-160-154.dsl.lsan03.pacbell.net.http >
psinode.1981: R [tcp sum ok] 0:0(0) ack 770179073 win 0 (ttl 117, id
51245, len 40)




More information about the list mailing list