[nsp-sec] Odd packets from 255.127.0.0
Mike Tancsa
mike at sentex.net
Mon Oct 6 10:17:25 EDT 2014
On 10/6/2014 10:04 AM, Borja Marcos wrote:
>
> Since yesterday around 21:30 UTC we are receiving TCP packets with source address 255.127.0.0, source and destination port 0, assorted options (sometimes malformed).
> We see the packets coming from cogent, level3, colt and Tata. Nothing on peerings.
> Is anyone seeing the same? Any known buggy equipment?
Same. Lots, destined to all sorts of addresses in my network. Both via
Cogent and TATA for me, but I also see it from a peer at Torix (Primus)
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
-------------- next part --------------
10:13:51.877038 IP 255.127.0.0.0 > 199.71.183.34.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:51.907967 IP 255.127.0.0.0 > 67.43.139.55.0: Flags [FRP.EW] [bad hdr length 56 - too long, > 40]
10:13:51.936439 IP 255.127.0.0.0 > 206.51.24.76.0: Flags [SRP.UW], seq 624634229:624634249, ack 0, win 6667, urg 0, length 20
10:13:51.939988 IP 255.127.0.0.0 > 67.43.132.67.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:51.974133 IP 255.127.0.0.0 > 98.159.250.103.0: Flags [SRE] [bad hdr length 48 - too long, > 40]
10:13:52.071376 IP 255.127.0.0.0 > 206.130.91.84.0: tcp 24 [bad hdr length 16 - too short, < 20]
10:13:52.093234 IP 255.127.0.0.0 > 67.43.140.88.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:52.140968 IP 255.127.0.0.0 > 199.246.36.40.0: Flags [FR] [bad hdr length 60 - too long, > 40]
10:13:52.214258 IP 255.127.0.0.0 > 64.7.150.78.0: tcp 28 [bad hdr length 12 - too short, < 20]
10:13:52.366868 IP 255.127.0.0.0 > 198.73.181.25.0: Flags [FRPW], seq 624639109:624639125, win 6667, options [[bad opt]
10:13:52.390644 IP 255.127.0.0.0 > 64.7.131.60.0: Flags [FSRPE], seq 3281651313:3281651317, win 6667, options [[bad opt]
10:13:52.441497 IP 255.127.0.0.0 > 64.7.134.47.0: tcp 24 [bad hdr length 16 - too short, < 20]
10:13:52.478364 IP 255.127.0.0.0 > 98.159.248.122.0: tcp 28 [bad hdr length 12 - too short, < 20]
10:13:52.591984 IP 255.127.0.0.0 > 67.43.140.105.0: Flags [FRP.UE] [bad hdr length 56 - too long, > 40]
10:13:52.595510 IP 255.127.0.0.0 > 64.7.145.12.0: tcp 36 [bad hdr length 4 - too short, < 20]
10:13:52.598115 IP 255.127.0.0.0 > 199.212.134.22.0: Flags [R.UW], seq 624639109:624639121, ack 0, win 6667, urg 0, options [[bad opt]
10:13:52.628784 IP 255.127.0.0.0 > 98.159.254.72.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:52.643630 IP 255.127.0.0.0 > 206.51.25.74.0: Flags [SRUEW] [bad hdr length 48 - too long, > 40]
10:13:52.758625 IP 255.127.0.0.0 > 67.43.134.5.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:52.769935 IP 255.127.0.0.0 > 198.235.183.28.0: tcp 36 [bad hdr length 4 - too short, < 20]
10:13:52.807520 IP 255.127.0.0.0 > 206.51.25.74.0: tcp 40 [bad hdr length 0 - too short, < 20]
10:13:52.910622 IP 255.127.0.0.0 > 98.159.251.35.0: tcp 36 [bad hdr length 4 - too short, < 20]
10:13:52.991383 IP 255.127.0.0.0 > 98.159.244.127.0: tcp 24 [bad hdr length 16 - too short, < 20]
10:13:53.080033 IP 255.127.0.0.0 > 64.7.137.92.0: Flags [FP.UE] [bad hdr length 60 - too long, > 40]
10:13:53.081960 IP 255.127.0.0.0 > 67.43.137.12.0: tcp 36 [bad hdr length 4 - too short, < 20]
10:13:53.084122 IP 255.127.0.0.0 > 64.7.135.109.0: Flags [FSR.UE] [bad hdr length 44 - too long, > 40]
10:13:53.153895 IP 255.127.0.0.0 > 199.212.135.92.0: tcp 24 [bad hdr length 16 - too short, < 20]
10:13:53.158438 IP 255.127.0.0.0 > 64.7.133.121.0: Flags [FRUE], seq 624639109:624639129, win 6667, urg 0, length 20
10:13:53.186870 IP 255.127.0.0.0 > 64.7.137.18.0: tcp 36 [bad hdr length 4 - too short, < 20]
10:13:53.277258 IP 255.127.0.0.0 > 98.159.248.27.0: Flags [SP.E], seq 1540996429:1540996433, ack 0, win 6667, options [[bad opt]
10:13:53.356749 IP 255.127.0.0.0 > 67.43.135.5.0: tcp 32 [bad hdr length 8 - too short, < 20]
10:13:53.390700 IP 255.127.0.0.0 > 98.159.254.101.0: Flags [UEW], win 6667, urg 0, options [[bad opt]
10:13:53.394517 IP 255.127.0.0.0 > 98.159.250.43.0: tcp 28 [bad hdr length 12 - too short, < 20]
10:13:53.414957 IP 255.127.0.0.0 > 64.7.139.25.0: Flags [FRUEW] [bad hdr length 60 - too long, > 40]
10:13:53.425634 IP 255.127.0.0.0 > 67.43.133.122.0: tcp 28 [bad hdr length 12 - too short, < 20]
10:16:30.913292 IP (tos 0x28, ttl 51, id 53543, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 199.71.183.94.0: Flags [FSR.U], cksum 0x0000 (incorrect -> 0x8cdf), seq 624634229:624634237, ack 0, win 6667, urg 0, options [[bad opt]
0x0000: 4528 003c d127 4000 3306 f846 ff7f 0000 E(.<.'@.3..F....
0x0010: c747 b75e 0000 0000 253b 2975 0000 0000 .G.^....%;)u....
0x0020: 8f37 1a0b 0000 0000 4aff 945e 0000 0000 .7......J..^....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:30.956765 IP (tos 0x28, ttl 56, id 50525, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 64.7.131.17.0: tcp 40 [bad hdr length 0 - too short, < 20]
0x0000: 4528 003c c55d 4000 3806 ba9e ff7f 0000 E(.<.]@.8.......
0x0010: 4007 8311 0000 0000 c0ba 88ce 0000 0000 @...............
0x0020: 084d 1a0b 0000 0000 fb68 7b7d 0000 0000 .M.......h{}....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:30.972610 IP (tos 0x10, ttl 52, id 3537, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.131.26.0: tcp 40 [bad hdr length 0 - too short, < 20]
0x0000: 4510 003c 0dd1 4000 3406 7316 ff7f 0000 E..<.. at .4.s.....
0x0010: 432b 831a 0000 0000 c39a 0671 0000 0000 C+.........q....
0x0020: 068e 1a0b 0000 0000 39ca 4a1f 0000 0000 ........9.J.....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:30.982570 IP (tos 0x10, ttl 51, id 42502, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 64.7.131.108.0: Flags [FR.EW] [bad hdr length 60 - too long, > 40]
0x0000: 4510 003c a606 4000 3306 deb2 ff7f 0000 E..<.. at .3.......
0x0010: 4007 836c 0000 0000 c0ba 88ce 0000 0000 @..l............
0x0020: fbd5 1a0b 0000 0000 a9b4 4d68 0000 0000 ..........Mh....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.086100 IP (tos 0x10, ttl 51, id 29962, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 98.159.255.45.0: Flags [.UEW], cksum 0x0000 (incorrect -> 0xf2b8), seq 3281651313:3281651333, ack 0, win 6667, urg 0, length 20
0x0000: 4510 003c 750a 4000 3306 7155 ff7f 0000 E..<u. at .3.qU....
0x0010: 629f ff2d 0000 0000 c39a 0671 0000 0000 b..-.......q....
0x0020: 5bf0 1a0b 0000 0000 d2fc 7b4c 0000 0000 [.........{L....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.110451 IP (tos 0x48, ttl 56, id 13716, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.134.78.0: Flags [RPW], cksum 0x0000 (incorrect -> 0xa0e3), seq 624634229:624634237, win 6667, options [[bad opt]
0x0000: 4548 003c 3594 4000 3806 43e7 ff7f 0000 EH.<5. at .8.C.....
0x0010: 432b 864e 0000 0000 253b 2975 0000 0000 C+.N....%;)u....
0x0020: 8e8c 1a0b 0000 0000 61d5 1f5c 0000 0000 ........a..\....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.137110 IP (tos 0x28, ttl 56, id 15434, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 98.159.253.74.0: Flags [RPUW], cksum 0x0000 (incorrect -> 0xff76), seq 3233450190:3233450202, win 6667, urg 0, options [[bad opt]
0x0000: 4528 003c 3c4a 4000 3806 a6e0 ff7f 0000 E(.<<J at .8.......
0x0010: 629f fd4a 0000 0000 c0ba 88ce 0000 0000 b..J............
0x0020: 76ac 1a0b 0000 0000 ddfd cb36 0000 0000 v..........6....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.190196 IP (tos 0x10, ttl 54, id 64983, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 98.159.246.107.0: tcp 40 [bad hdr length 0 - too short, < 20]
0x0000: 4510 003c fdd7 4000 3606 ee49 ff7f 0000 E..<.. at .6..I....
0x0010: 629f f66b 0000 0000 5bd9 bd4d 0000 0000 b..k....[..M....
0x0020: 0af2 1a0b 0000 0000 580a c26f 0000 0000 ........X..o....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.288136 IP (tos 0x28, ttl 55, id 50462, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 64.7.128.122.0: Flags [RU] [bad hdr length 56 - too long, > 40]
0x0000: 4528 003c c51e 4000 3706 be74 ff7f 0000 E(.<.. at .7..t....
0x0010: 4007 807a 0000 0000 253b 3c85 0000 0000 @..z....%;<.....
0x0020: e024 1a0b 0000 0000 b83e 3314 0000 0000 .$.......>3.....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.293075 IP (tos 0x0, ttl 56, id 35276, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 64.7.133.19.0: Flags [FSPW] [bad hdr length 52 - too long, > 40]
0x0000: 4500 003c 89cc 4000 3806 f455 ff7f 0000 E..<.. at .8..U....
0x0010: 4007 8513 0000 0000 3ed2 d37a 0000 0000 @.......>..z....
0x0020: d98b 1a0b 0000 0000 fbe9 b85e 0000 0000 ...........^....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.376248 IP (tos 0x10, ttl 52, id 22334, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 64.7.150.26.0: Flags [FSP.EW] [bad hdr length 56 - too long, > 40]
0x0000: 4510 003c 573e 4000 3406 19cd ff7f 0000 E..<W>@.4.......
0x0010: 4007 961a 0000 0000 c39a 0671 0000 0000 @..........q....
0x0020: e0db 1a0b 0000 0000 d575 9c5c 0000 0000 .........u.\....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.473037 IP (tos 0x28, ttl 56, id 33012, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.128.114.0: Flags [P.E], cksum 0x0000 (incorrect -> 0x3f77), seq 3233450190:3233450194, ack 0, win 6667, options [[bad opt]
0x0000: 4528 003c 80f4 4000 3806 fe82 ff7f 0000 E(.<.. at .8.......
0x0010: 432b 8072 0000 0000 c0ba 88ce 0000 0000 C+.r............
0x0020: 9658 1a0b 0000 0000 4091 a543 0000 0000 .X...... at ..C....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.500739 IP (tos 0x0, ttl 54, id 31238, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.129.96.0: Flags [RPUW], cksum 0x0000 (incorrect -> 0x63f6), seq 1540996429:1540996449, win 6667, urg 0, length 20 [RST \0xd8 at O5\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0xa0\0x02}x]
0x0000: 4500 003c 7a06 4000 3606 06ab ff7f 0000 E..<z. at .6.......
0x0010: 432b 8160 0000 0000 5bd9 bd4d 0000 0000 C+.`....[..M....
0x0020: 5fac 1a0b 0000 0000 d840 4f35 0000 0000 _........ at O5....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.528182 IP (tos 0x28, ttl 54, id 18104, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 206.51.24.82.0: Flags [SREW], cksum 0x0000 (incorrect -> 0x5c92), seq 1054004090:1054004110, win 6667, length 20 [RST \-\0xb7r\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0xa0\0x02}x]
0x0000: 4528 003c 46b8 4000 3606 17d7 ff7f 0000 E(.<F. at .6.......
0x0010: ce33 1852 0000 0000 3ed2 d37a 0000 0000 .3.R....>..z....
0x0020: 5fc6 1a0b 0000 0000 5c2d b772 0000 0000 _.......\-.r....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.569244 IP (tos 0x28, ttl 55, id 21561, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.131.96.0: Flags [SP.UEW] [bad hdr length 60 - too long, > 40]
0x0000: 4528 003c 5439 4000 3706 2950 ff7f 0000 E(.<T9 at .7.)P....
0x0010: 432b 8360 0000 0000 253b 3c85 0000 0000 C+.`....%;<.....
0x0020: f8fa 1a0b 0000 0000 8273 3548 0000 0000 .........s5H....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.583719 IP (tos 0x10, ttl 52, id 47754, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.141.80.0: tcp 24 [bad hdr length 16 - too short, < 20]
0x0000: 4510 003c ba8a 4000 3406 bc26 ff7f 0000 E..<.. at .4..&....
0x0010: 432b 8d50 0000 0000 c39a 0671 0000 0000 C+.P.......q....
0x0020: 4a6c 1a0b 0000 0000 6993 103b 0000 0000 Jl......i..;....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.616347 IP (tos 0x28, ttl 57, id 49286, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 198.235.180.126.0: Flags [FSUE], cksum 0x0000 (incorrect -> 0x0949), seq 1578576465, win 6667, urg 0, options [[bad opt]
0x0000: 4528 003c c086 4000 3906 0624 ff7f 0000 E(.<.. at .9..$....
0x0010: c6eb b47e 0000 0000 5e17 2a51 0000 0000 ...~....^.*Q....
0x0020: a763 1a0b 0000 0000 8434 9017 0000 0000 .c.......4......
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.657327 IP (tos 0x10, ttl 52, id 59771, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 67.43.133.101.0: tcp 32 [bad hdr length 8 - too short, < 20]
0x0000: 4510 003c e97b 4000 3406 9520 ff7f 0000 E..<.{@.4.......
0x0010: 432b 8565 0000 0000 c39a 0671 0000 0000 C+.e.......q....
0x0020: 2f09 1a0b 0000 0000 abf9 c863 0000 0000 /..........c....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.672722 IP (tos 0x28, ttl 54, id 19424, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 205.211.165.109.0: tcp 28 [bad hdr length 12 - too short, < 20]
0x0000: 4528 003c 4be0 4000 3606 85f3 ff7f 0000 E(.<K. at .6.......
0x0010: cdd3 a56d 0000 0000 c0ba 88ce 0000 0000 ...m............
0x0020: 360d 1a0b 0000 0000 ead9 6360 0000 0000 6.........c`....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
10:16:31.682926 IP (tos 0x28, ttl 55, id 21411, offset 0, flags [DF], proto TCP (6), length 60)
255.127.0.0.0 > 98.159.243.99.0: Flags [FSUW] [bad hdr length 44 - too long, > 40]
0x0000: 4528 003c 53a3 4000 3706 9a6e ff7f 0000 E(.<S. at .7..n....
0x0010: 629f f363 0000 0000 253b 3c85 0000 0000 b..c....%;<.....
0x0020: b5a3 1a0b 0000 0000 f8cc 9b2f 0000 0000 .........../....
0x0030: 0000 0000 0000 0000 a002 7d78 ..........}x
More information about the nsp-security
mailing list