[nsp-sec] Odd packets from 255.127.0.0
Bill Owens
owens at nysernet.org
Mon Oct 6 11:45:13 EDT 2014
On Mon, Oct 06, 2014 at 05:04:16PM +0200, Borja Marcos wrote:
> ----------- nsp-security Confidential --------
>
>
>
> > On 6/10/2014, at 16:42, Johannes B. Ullrich, Ph.D. <jullrich at sans.edu> wrote:
> >
> > attaching a pcap we just received (un-anonymized… please only share internally “TLP light Orange” )
> >
> > various source IPs. the common properties appear to be a window size of 6667 (maybe it is supposed to be the source/dst port?) and source/dst port of 0. The TCP header is just corrupt. I bet a broken tool.
>
> Yes, it matches my darknet captures.
>
> 6667 is certainly the veteran IRC port, a broken botnet based on vintage code?
I saw something like this a long time ago, when a defective port on a piece of Ethernet-over-SONET gear started resending frames with the link-layer headers intact, so the other equipment on the network interpreted them as IP headers. The fact that the captured packets don't have a valid IP header at all makes me think that something similar is happening, a bad piece of hardware someplace.
Bill.
More information about the nsp-security
mailing list