This past weekend I was contacted by several groups ranging from NASA to a small service provider in the Bay area regarding one of our hosts port scanning their networks using RESET packets. In each of these cases the machine seemed to be scanning random addresses in their networks on random, non-reserved (+1024), ports. After investigating these claims it appears as if someone is sending SYN packets to this machine (which serves ftp, which explains why the ports are open through the cisco) with a spoofed source address causing the machine to send RESET packets back to the spoofed host and setting off their firewalls. I cannot seem to get past level-1 or level-2 support from my upstream, GTE/BBN to find out where these packets are coming from to track this down. So, I come to you... Two currently on-going attacks are using the spoofed source addresses from the networks 134.50.x.x and 130.221.x.x. If you see activity from these networks inside of your borders, but the networks are not inside of your borders please contact me off of the list. Oh yeah, and filter this stuff out people, this is unacceptible. -- Bryan C. Andregg * <bandregg@redhat.com> * Red Hat, Inc. 1024/625FA2C5 F5 F3 DC 2E 8E AF 26 B0 2C 31 78 C2 6C FB 02 77 1024/0x46E7A8A2 46EB 61B1 71BD 2960 723C 38B6 21E4 23CC 46E7 A8A2