>
>
> Unless your netwrk is 'broken' and you are being used as a smurf amplifier
> to DOS out someone with a smaller pipe?
>
> Thanks,
>
> Ron DuFresne
A smurf bounce has different characteristics, but in any case, we don't
service directed broadcasts.
To date, the responses seem on the side of script kiddies running sscan
or the like. Now that the traffic comes from various networks, I lean
toward that rather than my original hypothesis that we were the spoofed
side of a syn flood.
Regards,
j.
>
> On Mon, 3 May 1999, batz wrote:
>
> > On Mon, 3 May 1999, W.C. (Jay) Epperson wrote:
> >
> > :For several days, we've seen SYN/ACK packets directed to unused addresses
> > :within our address space. TCP source port is often a well-known port like
> > :Telnet, Http, etc. Destination port is generally above 1024, and is mostly
> > :either 1974 or 1829. At first, the packets were all coming from a single
> > :network. We suspected that we were the spoofed side of a SYN flood attack
> > :and notified the other network contact. Later, the traffic from that
> > :network stopped, and we now see the traffic coming in from a variety of
> > :outside networks.
> > :
> > :The volume is too low to cause us DOS problems, but we're scratching our
> > :heads as to what this is about. Any clues?
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
