[Dshield] seemingly random (ACK+RST) packets from 64.164.160.154:80

Stephane Grobety security at admin.fulgan.com
Wed Mar 24 16:37:25 GMT 2004


jt> I am getting these seemingly random ACK+RST packets from a particular
jt> machine (64.164.160.154) from port 80 to my high ports (usually
jt> 1100-1600 or so) on a regular basis throughout the day.  There is not a
jt> webserver running on the 64.164.160.154 machine and I  have carefully
jt> monitored my own server to make sure that it is not sending
jt> communications to 64.164.160.154.  The thing is that this machine
jt> (adsl-64-164-160-154.dsl.lsan03.pacbell.net) belongs to my DSL provider
jt> (pacbell.net/SBC) so I am thinking there must be a logical explanation
jt> for this behavior. Anybody have any ideas?


Hum. It could be that someone is sending spoofed SYNs to this machine
with your IP address. Possibly, this host is under (D)DoS and your IP
is used as a decoy.

Now, why would someone try to syn-flood a machine that is obviously
not listening on the target port is beyond me. Maybe there is
something else...

Good luck,
Stephane




More information about the list mailing list