[nsp-sec] Odd packets from 255.127.0.0
Mike Tancsa
mike at sentex.net
Mon Oct 6 14:10:06 EDT 2014
On 10/6/2014 1:03 PM, Bill Owens wrote:
> ----------- nsp-security Confidential --------
>
> On Mon, Oct 06, 2014 at 11:45:13AM -0400, Bill Owens wrote:
>> ----------- nsp-security Confidential --------
>>
>> I saw something like this a long time ago, when a defective port on a piece of Ethernet-over-SONET gear started resending frames with the link-layer headers intact, so the other equipment on the network interpreted them as IP headers. The fact that the captured packets don't have a valid IP header at all makes me think that something similar is happening, a bad piece of hardware someplace.
>
> Scratch that theory - these packets, or something very much like them, have been around for quite a while now: http://www.cert.pl/news/4433/langswitch_lang/en
I think for me, its the src addr thats oddly specific and novel. But I
guess thats just a symptom of the larger issue?
Looking a little more, there seems to be a marked jump in tcp port 0
traffic coming into my AS. On one segment I had a look at shows quite
an increase starting yesterday and continuing today.
Date port 0
TCP pkts
03 29,021
04 20,573
05 2,259,555
06 2,926,453
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the nsp-security
mailing list