[Dshield] seemingly random (ACK+RST) packets from64.164.160.154:80

j.travis skynet at psinode.com
Wed Mar 24 19:24:28 GMT 2004


> At first glance I would guess that someone is attempting to SYN flood
> 64.164.160.154 but just has not figured out that 80/TCP is not an open
> port on that system.
>
> A few things in the trace trouble me however. The TTL is 117, which
> would imply a Windows box sitting 11 hops away from you. The IP ID's
are
> random however and every Windows OS I've ever looked at uses
predictable
> IP ID's (increments of +1, +2 and +256).

There is not much of a pattern at all to them except that they
consistently dribble in all day long. sometimes 3 minutes apart,
sometimes 20 minutes.

> Do you only have 1 IP or multiple? If multiple, is this happening with
> more than one of your IP addresses?
>
> Its not a sweep or a scan and the packets look pretty legit so I don't
> think its a covert channel. The IP ID Vs. TTL thing bugs me though.

I do have one other linux box on the same /248 subnet but it just seem
to be getting the usual internet noise on it.  I'll have to do some
closer inspection and get back to you on that.





More information about the list mailing list