Gratuitous syn/ack
I'm seeing a significant number (about 1/minute 24 hr/day) of syn/ack packets coming from port 80 of random addresses to random ports on my nameserver and a few other systems. This isn't enough traffic to be really annoying, but is curious. I wonder if the simple explanation (backscatter from syn floods with spoofed source addresses) is more likely, or if there are some probing techniques in "normal" use that use these packets (one could accomplish a traceroute using port 80 packets in either direction...) -- Pete
I am betting backscatter. Sent from my iPhone On Nov 11, 2010, at 5:31 PM, Pete Carah <pete@altadena.net> wrote:
I'm seeing a significant number (about 1/minute 24 hr/day) of syn/ack packets coming from port 80 of random addresses to random ports on my nameserver and a few other systems. This isn't enough traffic to be really annoying, but is curious.
I wonder if the simple explanation (backscatter from syn floods with spoofed source addresses) is more likely, or if there are some probing techniques in "normal" use that use these packets (one could accomplish a traceroute using port 80 packets in either direction...)
-- Pete
--- On Thu, 11/11/10, Joel Esler <joel.esler@me.com> wrote:
From: Joel Esler <joel.esler@me.com> Subject: Re: Gratuitous syn/ack To: "Pete Carah" <pete@altadena.net> Cc: "nanog@nanog.org" <nanog@nanog.org> Date: Thursday, November 11, 2010, 5:03 PM I am betting backscatter.
Sent from my iPhone
On Nov 11, 2010, at 5:31 PM, Pete Carah <pete@altadena.net> wrote:
I'm seeing a significant number (about 1/minute 24 hr/day) of syn/ack packets coming from port 80 of random addresses to random ports on my nameserver and a few other systems. This isn't enough traffic to be really annoying, but is curious.
I wonder if the simple explanation (backscatter from syn floods with spoofed source addresses) is more likely, or if there are some probing techniques in "normal" use that use these packets (one could accomplish a traceroute using port 80 packets in either direction...)
-- Pete
...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back. ./Randy
participants (3)
-
Joel Esler -
Pete Carah -
Randy