[unisog] Strange packets to random addresses in our network
mjassels at cs.concordia.ca
Mon Dec 29 05:17:15 GMT 2003
On Mon, 29 Dec 2003 10:46:53 +1300,
Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> About a week a go we started seeing a steady trickle (1100 over the last
> 3 days) of these packet hitting our network. Source address is always
> the same (184.108.40.206) as is the source port (443) destination port and
> address appear to be random.
I'm seeing a few of these, too (i.e., source = 220.127.116.11:443
and destination random). Tethereal tells me the TCP options consist
of an MD5 signature and EOL, and that the TCP checksum is always
wrong (possibly because it's calculated before the MD5 signature?)
It sure looks like the back-scatter of a DDOS aimed at 18.104.22.168.
There's an A record for "secure.chronopay.com" pointing at that
address (sometimes), but apparently no corresponding PTR. That
makes DDOS seem even more plausible, IMHO.
[I've left <abuse at rackspace.com> out of the CC list, since I'm
probably not adding anything they don't already know.]
Michael Assels Manager, Network/Systems/Security
Department of Computer Science Concordia University, Montreal
More information about the unisog