Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Chinese HTTP ACKs

from [David Gillett] Network Security [Permanent Link]
Subject: Chinese HTTP ACKs
Date: Wed, 9 Feb 2005 10:08:20 -0800 
  I'm seeing a handful of addresses in the 61.143.210.0/23 space
periodically send 2-3 ACKs from port 80 to semi-random addresses
within our Class B space.  The TCP checksum on these packets is
incorrect.
  Note that these are ACK and not SYN-ACK, although no such session
appears to be underway.  Between that and the checksum error, I
believe that these are NOT responses to spoofed SYNs, but are
something else crafted on the Chinese hosts themselves.

  I describes the destination as "semi-random" in that the examples
I've captured have been directed at in-use addresses within thinly-
used portions of our address space.  A less random target selection 
would be expected to be hitting our main server ranges; a more random
selection would be expected to hit some unused addresses.  So I
*suspect* that some kind of discovery process may have been used.

  (In at least one case, the target lies within a sub-block that is 
is not supposed to exchange TCP packets with the Internet.  Unfortunately,
it's relying on a Cisco ACL "established" line for this, and of course
these naked ACKs sail right on past....
  Again, a reason to believe that these ACKs are not part of some
legitimate session already in progress.)

  Anybody else seeing similar?

David Gillett
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SSH probe attack afoot?, j@65535.com
Next by Date:  Re: Chinese HTTP ACKs, Frank Knobbe
Previous by Thread:  Re: SSH probe attack afoot?, j@65535.com
Next by Thread:  Re: Chinese HTTP ACKs, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]