[unisog] Strange packets to random addresses in our network

Peter Van Epp vanepp at sfu.ca
Mon Dec 29 02:56:45 GMT 2003


	Looks to have started here at 08:58 PDT on Dec 22 and proceeded from
there ...

Sun 12/21 08:58:39      tcp    69.20.46.210.443    ?>   142.58.154.45.25881 1      0       0         0        TIM
Sun 12/21 08:59:22      tcp    69.20.46.210.443    ?>   142.58.40.131.29149 1      0       0         0        TIM
Sun 12/21 09:00:09      tcp    69.20.46.210.443    ?>  142.58.130.160.63572 1      0       0         0        TIM
Sun 12/21 09:00:28      tcp    69.20.46.210.443    ?>   142.58.228.38.39183 1      0       0         0        TIM
Sun 12/21 09:00:41      tcp    69.20.46.210.443    ?>   199.60.16.187.56639 1      0       0         0        TIM
Sun 12/21 09:01:10      tcp    69.20.46.210.443    ?>   142.58.83.114.27177 1      0       0         0        TIM
Sun 12/21 09:01:36      tcp    69.20.46.210.443    ?>   199.60.15.118.57110 1      0       0         0        TIM
Sun 12/21 09:02:23      tcp    69.20.46.210.443    ?>   142.58.13.144.32031 1      0       0         0        TIM

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


On Mon, Dec 29, 2003 at 10:46:53AM +1300, Russell Fulton wrote:
> Hi All,
> 	Complements of the Season to All,  I have a holiday puzzle your you :)
> This is being sent to abuse at rackspace.com as well as the unisog mailing
> list.
> 
> About a week a go we started seeing a steady trickle (1100 over the last
> 3 days) of these packet hitting our network.  Source address is always
> the same (69.20.46.210) as is the source port (443) destination port and
> address appear to be random.
> 
> Below is snort capture of the one packet, note the options field which
> is why snort is flagging them:
>
<snip> 



More information about the unisog mailing list