Security Incidents mailing list archives

web related oddity


From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Tue, 29 Feb 2000 09:15:15 -0500


Based on the ack sequence number, this looks like the documented second
order effect of a DoS scan.  But, I've only ever seen these packets hitting my
workstation after I've been browsing European web sites.

- CCC.CCC.CCC.100 is in .dk and I've sent info to csirt.dk.
- The source IP and port are always the same.
- The dest ports vary.
- What catches my eye is the TTL has changed dramatically from Feb 24 to
  Feb 29.  Either the O/S of CCC.CCC.CCC.100 has changed, or there is initial
  TTL trickery going on.

From Feb 24

10:44:06.296402 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1586: R 0:0(0) ack 674719802 win 0 (ttl 235, id 20884)
14:02:28.310627 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1218: R 0:0(0) ack 674719802 win 0 (ttl 235, id 63165)
14:29:39.975886 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.2298: R 0:0(0) ack 674719802 win 0 (ttl 235, id 17232)

From Feb 29

09:43:42.091875 CCC.CCC.CCC.100.5199 > XXX.XX.XX.223.1734: R 0:0(0) ack 674719802 win 0 (ttl 108, id 57993)

Anyone else seeing this?

Don


Current thread: