Date: Tue, 18 May 1999 09:19:18 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG Subject: Re: Interesting Attack Message-ID: <Pine.OSF.4.10.9905180915360.6232-100000@bragg> In-Reply-To: <xzpr9ofqsk1.fsf@localhost.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 May 1999, Dag-Erling Smorgrav wrote: > Cy Schubert <cschuber@uumail.gov.bc.ca> writes: > > I'm seeing a number of packets from sites around the Internet to > > port 1096. What service lives on port 1096? Has anyone seen this > > before? > > None. I think somebody's trying to bounce packets off your machine to > another box by spoofing the source address, *or* somebody has been > sending spoofed packets with your IP as source address to some other > boxen. > > Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I > checked the IP addresses which appear with port 6667, and they're all > IRC servers. You wouldn't expect connections to *originate* from port > 6667 on these boxen; I think somebody sent them SYN packets made up to > look as if they came from you, and they replied. > > In any case, I don't think you're the target; you're just an innocent > passer-by which they picked to pin the blame on (from the POV of the > target sites, it looks as if *you* ran a port scan on them - or would > if your firewall hadn't dropped those packets). I was getting hundreds of similar packets per day here a few weeks ago, almost all from different sites, all from spoofed source addresses, to a nonexistent IP address and on an unobtrusive port number (1584) but the common thread was that all of the source hosts were running an IRC daemon. I never did find out conclusively what it was, but my guess is that someone was using my source address to spoof packets from, and I was seeing reverse probes by the IRC server. It all stopped when I turned on IP unreachables on my firewall.. Kris ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905180915360.6232-100000>