[nsp-sec] Odd packets from 255.127.0.0
Borja Marcos
borjamar at sarenet.es
Mon Oct 6 11:04:16 EDT 2014
> On 6/10/2014, at 16:42, Johannes B. Ullrich, Ph.D. <jullrich at sans.edu> wrote:
>
> attaching a pcap we just received (un-anonymized… please only share internally “TLP light Orange” )
>
> various source IPs. the common properties appear to be a window size of 6667 (maybe it is supposed to be the source/dst port?) and source/dst port of 0. The TCP header is just corrupt. I bet a broken tool.
Yes, it matches my darknet captures.
6667 is certainly the veteran IRC port, a broken botnet based on vintage code?
Borja.
More information about the nsp-security
mailing list