[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Weird packet

To: Joost van Baal <joostvb@xxxxxxx>
Subject: Re: Weird packet
From: Lionel Elie Mamane <lionel@xxxxxxxxx>
Date: Wed, 20 Mar 2002 13:00:51 +0100
Cc: people@xxxxxxxxxx
User-agent: Mutt/1.3.27i
X-operating-system: GNU/Linux

On Wed, Mar 20, 2002 at 10:59:27AM +0100, Joost van Baal wrote:

>> Has anyone any idea why a machine get such a packet?

>> Packet log: input *ACTION* *iface* PROTO=6 207.46.197.102:65535 *my_machine_ip*:65535 L=756 S=0x00 I=33890 F=0x005D T=51 (#20)

>> whois 207.46.197.102
>> Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)

> Perhaps the source address is spoofed?

I fail to see what the sender would gain... An RST storm on
Microsoft's web server? Come on...There are much more efficient DOS
attacks...

> Or it's some Microsoft automatic software update thingie?

Well... might be.... But this is a SYN packet... It seems really
strange to me they would use such a method, where their machine makes
a connection to the client's machine...

> Machine 207.46.197.102 is unreachable now, btw.

You mean by ping? This is "normal", Microsoft's web server haven't
been responding to ping's for years. There is a web server running and
responding on it, though.

I have half a mind to run tcpdump and look at these packets more
closely...

-- 
Lionel

-- 
To UNSUBSCRIBE, email to people-request@xxxxxxxxxx with a subject of
"unsubscribe". Trouble? Send an email with subject "help" to
people-request@xxxxxxxxxx

References:
- Weird packet
  - From: Lionel Elie Mamane
- Re: Weird packet
  - From: Joost van Baal

Prev by Date: Re: Weird packet
Next by Date: Re: wireless ?
Previous by thread: Re: Weird packet
Next by thread: 2 events
Index(es):
- Date
- Thread