|
Security Incidents
mailing list archives
Strange packets from Verisign Sitefinder
From: Ralf G <gue () alphatel de>
Date: 2 Oct 2003 11:53:49 -0000
Hi list
I am seeing strange packets coming from Verisign's sitefinder in my firewall logs. It appears, that they are SYN-ACK
packets sent to unused addresses in our registered address space. My theory is, that someone else has spoofed the
source addresses in an initial http connection to Sitefinder, but the reply packets are then routed to the rightful
owner of these addresses (us).
Here is a sample package dump:
13:41:55.458798 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.56.1959: S
246336671:246336671(0) ack 1099366401 win 16384 (ttl 87, id 256)
13:41:55.941884 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.115.1178: S
154406256:154406256(0) ack 530055169 win 16384 (ttl 87, id 256)
13:41:56.081523 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.88.1709: S
17910271:17910271(0) ack 755564545 win 16384 (ttl 87, id 256)
13:41:56.814659 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.147.1696: S
72446775:72446775(0) ack 186253313 win 16384 (ttl 87, id 256)
13:41:57.324028 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.195.206.1915: S
327185891:327185891(0) ack 1764425729 win 16384 (ttl 87, id 256)
These packets arrive here in vast numbers. Does anyone have any ideas what else could cause this and what I could do
about it? So far, I don't see that I can do much about it
Any ideas appreciated
Ralf G.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Strange packets from Verisign Sitefinder Ralf G (Oct 02)
|
Intro
