[Snort-users] Re: Slightly OT: Anyone else seeing TCP traffic from

Bier_und_Schnaps at ...348... Bier_und_Schnaps at ...348...
Wed Sep 3 05:20:04 EDT 2003


this behaviour could stem from the measure of some companies to disarm the
Blaster.A DDOS attack. They modified theit DNS Servers to resolve
windowsupdate.com to By doing that, the requests of infected clients to DDOS
windowsupdate.com weren't routed over the network. But as a result of that
measure, RST ACK pakets with SRC to <RandomIP> occurred, as most of
the infected clients didn't have a webserver listening on and
therefore the connection was declined.
Maybe that explains the odd pakets you recognize.

Regards Joachim

COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post

More information about the Snort-users mailing list