Gratuitous syn/ack
Randy
randy_94108 at yahoo.com
Fri Nov 12 04:16:04 UTC 2010
--- On Thu, 11/11/10, Joel Esler <joel.esler at me.com> wrote:
> From: Joel Esler <joel.esler at me.com>
> Subject: Re: Gratuitous syn/ack
> To: "Pete Carah" <pete at altadena.net>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Date: Thursday, November 11, 2010, 5:03 PM
> I am betting backscatter.
>
>
> Sent from my iPhone
>
> On Nov 11, 2010, at 5:31 PM, Pete Carah <pete at altadena.net>
> wrote:
>
> > I'm seeing a significant number (about 1/minute 24
> hr/day) of syn/ack
> > packets coming from port 80 of random addresses to
> random ports on my
> > nameserver and a few other systems. This isn't
> enough traffic to be
> > really annoying, but is curious.
> >
> > I wonder if the simple explanation (backscatter from
> syn floods with
> > spoofed source addresses) is more likely, or if there
> are some probing
> > techniques in "normal" use that use these packets (one
> could accomplish
> > a traceroute using port 80 packets in either
> direction...)
> >
> > -- Pete
...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back.
./Randy
More information about the NANOG
mailing list