[132054] in North American Network Operators' Group
Re: Gratuitous syn/ack
daemon@ATHENA.MIT.EDU (Randy)
Thu Nov 11 23:16:13 2010
Date: Thu, 11 Nov 2010 20:16:04 -0800 (PST)
From: Randy <randy_94108@yahoo.com>
To: Pete Carah <pete@altadena.net>, Joel Esler <joel.esler@me.com>
In-Reply-To: <44420648-E1FA-401E-AA8E-9CDC0A805559@me.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--- On Thu, 11/11/10, Joel Esler <joel.esler@me.com> wrote:
> From: Joel Esler <joel.esler@me.com>
> Subject: Re: Gratuitous syn/ack
> To: "Pete Carah" <pete@altadena.net>
> Cc: "nanog@nanog.org" <nanog@nanog.org>
> Date: Thursday, November 11, 2010, 5:03 PM
> I am betting backscatter.=A0=20
>=20
>=20
> Sent from my iPhone
>=20
> On Nov 11, 2010, at 5:31 PM, Pete Carah <pete@altadena.net>
> wrote:
>=20
> > I'm seeing a significant number (about 1/minute 24
> hr/day) of syn/ack
> > packets coming from port 80 of random addresses to
> random ports on my
> > nameserver and a few other systems.=A0 This isn't
> enough traffic to be
> > really annoying, but is curious.
> >=20
> > I wonder if the simple explanation (backscatter from
> syn floods with
> > spoofed source addresses) is more likely, or if there
> are some probing
> > techniques in "normal" use that use these packets (one
> could accomplish
> > a traceroute using port 80 packets in either
> direction...)
> >=20
> > -- Pete
...or script kiddies port-scanning - sending a syn-ack to a non-existent se=
ssion expecting a RST back.
./Randy
