Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Chinese HTTP ACKs
From: David Gillett (gillettdavidfhda.edu)
Date: Wed Feb 09 2005 - 12:08:20 CST
I'm seeing a handful of addresses in the 220.127.116.11/23 space
periodically send 2-3 ACKs from port 80 to semi-random addresses
within our Class B space. The TCP checksum on these packets is
Note that these are ACK and not SYN-ACK, although no such session
appears to be underway. Between that and the checksum error, I
believe that these are NOT responses to spoofed SYNs, but are
something else crafted on the Chinese hosts themselves.
I describes the destination as "semi-random" in that the examples
I've captured have been directed at in-use addresses within thinly-
used portions of our address space. A less random target selection
would be expected to be hitting our main server ranges; a more random
selection would be expected to hit some unused addresses. So I
*suspect* that some kind of discovery process may have been used.
(In at least one case, the target lies within a sub-block that is
is not supposed to exchange TCP packets with the Internet. Unfortunately,
it's relying on a Cisco ACL "established" line for this, and of course
these naked ACKs sail right on past....
Again, a reason to believe that these ACKs are not part of some
legitimate session already in progress.)
Anybody else seeing similar?