On Wed, 4 Oct 2000 13:26:13 -0700 "Stephen P. Berry"
<spb_at_MESHUGGENEH.NET> wrote:
>>
> My hunch is that what I'm seeing is the result of someone scanning
> multiple target hosts (in the example above 194.102.148.213) using
> the destination addresses of multiple unrelated machines (a.b.c.d
> and i.j.k.l in this example) as decoy addresses.
>
> What I'd be interested in, then, is:
>
> -The opinions of anyone who thinks that -isn't- what I'm
> seeing
I regularly see similar traffic and I have always assumed it was
fallout from a DoS attack using random spoofed source IP and port
numbers. If a machine under DoS get taken off line then the upstream
router will start generation Host URs. We have a /16 address space and
I often see URs coming in for 'random' addresses in our block all from
the same router and for the same host. These packets are well spaced
in time (up to hours apart) and the traffic typically lasts a few hours.
Given the number of packets we see in our /16 address space and
assuming that the source IP is uniform random then there are a lot more
packets than a normal scan would generate.
Russell.
Received on Oct 10 2000
Intro
