[Dshield] seemingly random (ACK+RST) packets from 64.164.160.154:80

Freek de Kruijf f.de.kruijf at hetnet.nl
Wed Mar 24 20:09:19 GMT 2004


On Wednesday 24 March 2004 17:46, Tom Liston wrote:
> Most logical reason:  Someone is sending SYN packets to port 80 of
> this machine with a source address of your machine.  If it isn't you,
> then it's someone spoofing your IP address.  The machine isn't
> running a webserver, so it responds with a ACK+RST.
>
> Perhaps there WAS a webserver at that address that was ticking
> someone off enough to get itself packeted out of existence.... or
> perhaps someone got a new DHCP lease...

I see the same type of <ACK><RST> packets. 185 coming from IP-addresses 
of my provider. A total of 5 different source IP-addresses. In total I 
received 286 of these packets in 11 days. So 101 coming from a whole 
range of IP-addresses not belonging to my ISP.
I checked a few of these source IP-addresses of my ISP and in one case 
the source port was always the same (1025). But in another case there 
was no pattern in source or destination port.

I have no clue.

I do report these flags to Dshield, but I don't know what Dshield does 
with this data.

-- 
fr.gr.

Freek




More information about the list mailing list