[unisog] Interesting traffic

Gary Flynn flynngn at jmu.edu
Fri Feb 6 17:27:37 GMT 2004


Asadoorian, Paul D wrote:

> This traffic started on my network on Feb. 2nd, at 7:00AM EST STD time.
> They all originate from 202.109.129.203, all with a source port of 6667
> TCP, the destination is my entire class B on TCP ports 1024 and 3072.
> All packets are RST/ACK.  Anyone else seeing this IP hitting their
> network?  Looks like someone is spoofing our address space, and I have
> confirmed that at least one other University is seeing this.

See it here too. I see traffic similar to this quite often
from both port 80 and 6667. I figured it was stuff like
this:

http://www.sans.org/resources/idfaq/spoofed_ip.php
http://home.satx.rr.com/bejtlich/nid_3pe_v101.pdf

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University



More information about the unisog mailing list