[Dshield] seemingly random (ACK+RST) packets from 18.104.22.168:80
Freek de Kruijf
f.de.kruijf at hetnet.nl
Wed Mar 24 20:09:19 GMT 2004
On Wednesday 24 March 2004 17:46, Tom Liston wrote:
> Most logical reason: Someone is sending SYN packets to port 80 of
> this machine with a source address of your machine. If it isn't you,
> then it's someone spoofing your IP address. The machine isn't
> running a webserver, so it responds with a ACK+RST.
> Perhaps there WAS a webserver at that address that was ticking
> someone off enough to get itself packeted out of existence.... or
> perhaps someone got a new DHCP lease...
I see the same type of <ACK><RST> packets. 185 coming from IP-addresses
of my provider. A total of 5 different source IP-addresses. In total I
received 286 of these packets in 11 days. So 101 coming from a whole
range of IP-addresses not belonging to my ISP.
I checked a few of these source IP-addresses of my ISP and in one case
the source port was always the same (1025). But in another case there
was no pattern in source or destination port.
I have no clue.
I do report these flags to Dshield, but I don't know what Dshield does
with this data.
More information about the list