From: Ralf G (guealphatel.de)
Date: Thu Oct 02 2003 - 06:53:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list

I am seeing strange packets coming from Verisign's sitefinder in my firewall logs. It appears, that they are SYN-ACK packets sent to unused addresses in our registered address space. My theory is, that someone else has spoofed the source addresses in an initial http connection to Sitefinder, but the reply packets are then routed to the rightful owner of these addresses (us).

Here is a sample package dump:

13:41:55.458798 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.56.1959: S 246336671:246336671(0) ack 1099366401 win 16384 (ttl 87, id 256)
13:41:55.941884 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.115.1178: S 154406256:154406256(0) ack 530055169 win 16384 (ttl 87, id 256)
13:41:56.081523 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.88.1709: S 17910271:17910271(0) ack 755564545 win 16384 (ttl 87, id 256)
13:41:56.814659 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.147.1696: S 72446775:72446775(0) ack 186253313 win 16384 (ttl 87, id 256)
13:41:57.324028 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.195.206.1915: S 327185891:327185891(0) ack 1764425729 win 16384 (ttl 87, id 256)

These packets arrive here in vast numbers. Does anyone have any ideas what else could cause this and what I could do about it? So far, I don't see that I can do much about it

Any ideas appreciated
Ralf G.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]