[Snort-users] not your typical : BAD-TRAFFIC tcp port 0 traffic portscanning?

CS Lee geek00l at ...11827...
Fri May 25 22:48:45 EDT 2007


Hello Scheidell,

This already tells -

flags=***A*R**

:)

On 5/26/07, Richard Bejtlich <taosecurity at ...11827...> wrote:
>
> Michael Scheidell wrote:
>
> > Any idea what they are doing? Trying to portscan? Looking for some
> > vulnerability with 'dest port' 0?
>
> > 05/25-09:22:49 TCP 121.35.241.129:8000 -->  xxx.xxx.xxx.xxx :0
> > [1:524:8] BAD-TRAFFIC tcp port 0 traffic
> > [Classification: Misc activity] [Priority: 3]
> >
> >
> > #(2 - 738314) [2007-05-25 07:43:37] [snort/524] BAD-TRAFFIC tcp port 0
> > traffic IPv4: 121.35.241.129 -> xxx.xxx.xxx.xxx
> > hlen=5 TOS=0 dlen=40 ID=51608 flags=0 offset=0 TTL=238 chksum=35950
> > TCP: port=80 -> dport: 0 flags=***A*R** seq=0
> > ack=759384068 off=5 res=0 win=0 urp=0 chksum=50032 Payload: none
>
> Michael,
>
> It's "backscatter."  An unknown third party is spoofing
> xxx.xxx.xxx.xxx and SYN flooding port 80 TCP on 121.35.241.129.
> 121.35.241.129 is the real victim.
>
> 2000 paper:
>
> http://www.taosecurity.com/nid_3pe_v101.pdf
>
> 1999 paper:
>
> http://www.taosecurity.com/intv2-8.html
>
> There's nothing to worry about.
>
> Sincerely,
>
> Richard
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070526/738195d6/attachment.html>


More information about the Snort-users mailing list