SYN spoofing

bandregg at bandregg at
Mon Jul 26 18:13:43 UTC 1999

This past weekend I was contacted by several groups ranging from NASA to a
small service provider in the Bay area regarding one of our hosts port
scanning their networks using RESET packets. In each of these cases the
machine seemed to be scanning random addresses in their networks on random,
non-reserved (+1024), ports.

After investigating these claims it appears as if someone is sending SYN
packets to this machine (which serves ftp, which explains why the ports are
open through the cisco) with a spoofed source address causing the machine to
send RESET packets back to the spoofed host and setting off their firewalls.

I cannot seem to get past level-1 or level-2 support from my upstream, GTE/BBN
to find out where these packets are coming from to track this down. So, I come
to you...

Two currently on-going attacks are using the spoofed source addresses from the
networks 134.50.x.x and 130.221.x.x.

If you see activity from these networks inside of your borders, but the
networks are not inside of your borders please contact me off of the list.

Oh yeah, and filter this stuff out people, this is unacceptible.
                 Bryan C. Andregg * <bandregg at> * Red Hat, Inc.

  1024/625FA2C5		F5 F3 DC 2E 8E AF 26 B0 2C 31 78 C2 6C FB 02 77
  1024/0x46E7A8A2	46EB 61B1 71BD 2960 723C 38B6 21E4 23CC 46E7 A8A2

More information about the NANOG mailing list