--- On Thu, 11/11/10, Joel Esler <joel.es...@me.com> wrote: > From: Joel Esler <joel.es...@me.com> > Subject: Re: Gratuitous syn/ack > To: "Pete Carah" <p...@altadena.net> > Cc: "nanog@nanog.org" <nanog@nanog.org> > Date: Thursday, November 11, 2010, 5:03 PM > I am betting backscatter. > > > Sent from my iPhone > > On Nov 11, 2010, at 5:31 PM, Pete Carah <p...@altadena.net> > wrote: > > > I'm seeing a significant number (about 1/minute 24 > hr/day) of syn/ack > > packets coming from port 80 of random addresses to > random ports on my > > nameserver and a few other systems. This isn't > enough traffic to be > > really annoying, but is curious. > > > > I wonder if the simple explanation (backscatter from > syn floods with > > spoofed source addresses) is more likely, or if there > are some probing > > techniques in "normal" use that use these packets (one > could accomplish > > a traceroute using port 80 packets in either > direction...) > > > > -- Pete
...or script kiddies port-scanning - sending a syn-ack to a non-existent session expecting a RST back. ./Randy
