vanjaRELAYGROUP.COM

• Next message: Cy Schubert - ITSD Open Systems Group: "Looking for Squid Proxies"
• Previous message: Graeme Fowler: "Re: TCP port 3218"
• In reply to: Stephen P. Berry: "Munged Napster Sessions"
• Next in thread: Stuart Staniford-Chen: "Port 6112"
• Next in thread: Stephen P. Berry: "Re: Munged Napster Sessions"
• Reply: Vanja Hrustic: "Re: Munged Napster Sessions"
• Reply: Stuart Staniford-Chen: "Port 6112"
• Reply: simondIRRELEVANT.ORG: "Re: Munged Napster Sessions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Stephen P. Berry" wrote:
> Notably, the traffic of interest includes various bogus TCP flag
> combinations (everything from SYN-FIN packets to full Xmas packets),
> bogus TCP flags, and tiny fragments.
>
> In absence of the established napster session, the anomalous traffic would
> look powerfully like some sort of TCP fingerprinting attempt to
> me.

A silly question: is any of sites involved located at *.demon.co.uk, by
any chance?

I think that quite many people these days are seeing false alarms caused
by traffic which comes from demon. Demon blames it on "network
equipment". For example, a guy (using demon.co.uk) is browsing my
website, and during that session, a packet is sent to random high port
(like 3xxxx). Packets are really strange; sometimes they have all bits
set, sometimes not.

I just got used to that :)

--
Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time

• Next message: Cy Schubert - ITSD Open Systems Group: "Looking for Squid Proxies"
• Previous message: Graeme Fowler: "Re: TCP port 3218"
• In reply to: Stephen P. Berry: "Munged Napster Sessions"
• Next in thread: Stuart Staniford-Chen: "Port 6112"
• Next in thread: Stephen P. Berry: "Re: Munged Napster Sessions"
• Reply: Vanja Hrustic: "Re: Munged Napster Sessions"
• Reply: Stuart Staniford-Chen: "Port 6112"
• Reply: simondIRRELEVANT.ORG: "Re: Munged Napster Sessions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]