Gratuitous syn/ack

• Previous message (by thread): Gratuitous syn/ack
• Next message (by thread): fiber / patch equipment suppliers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- On Thu, 11/11/10, Joel Esler <joel.esler at me.com> wrote:

> From: Joel Esler <joel.esler at me.com>
> Subject: Re: Gratuitous syn/ack
> To: "Pete Carah" <pete at altadena.net>
> Cc: "nanog at nanog.org" <nanog at nanog.org>
> Date: Thursday, November 11, 2010, 5:03 PM
> I am betting backscatter.  
> 
> 
> Sent from my iPhone
> 
> On Nov 11, 2010, at 5:31 PM, Pete Carah <pete at altadena.net>
> wrote:
> 
> > I'm seeing a significant number (about 1/minute 24
> hr/day) of syn/ack
> > packets coming from port 80 of random addresses to
> random ports on my
> > nameserver and a few other systems.  This isn't
> enough traffic to be
> > really annoying, but is curious.
> > 
> > I wonder if the simple explanation (backscatter from
> syn floods with
> > spoofed source addresses) is more likely, or if there
> are some probing
> > techniques in "normal" use that use these packets (one
> could accomplish
> > a traceroute using port 80 packets in either
> direction...)
> > 
> > -- Pete



...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back.
./Randy

• Previous message (by thread): Gratuitous syn/ack
• Next message (by thread): fiber / patch equipment suppliers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]