Darksat IT Security Forums
January 12, 2026, 07:57:48 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Darksat IT Security Forum
From Firewall Support, AntiVirus Questions, Spyware problems, Linux and Windows Security, Black Hat SEO right down to Website Design and Multimedia
 
  Home Help Search Gallery Links Staff List Login Register  

Comcast packet spoofing

Pages: [1]
« previous next »
  Print  
Author Topic: Comcast packet spoofing  (Read 1932 times)
madopal
Apprentice
**
Posts: 16



View Profile
« on: December 06, 2007, 03:59:42 pm »
Ok, I got 'em.  Here's me trying to do a simple wget from my server at work, and what I see on a packet sniffer on both ends.  On my work machine, I see 4 requests, then a reset, then my requests start retrying.

On my server, I only see the requests.  I'm sending responses that never get to my work computer..  Here are the packets going back and forth...to port 80, mind you.  Now, I'm using Wireshark at work (gui) and snort at home (console), so that is why the formatting is different.  But you can see not only the ID's, but the ports & sizes match when they hook up.

You can also see...the request gets through, my server sends a response which never arrives.  Then, after a few more tries and a pause, a mysterious reset packet shows up.  For completeness, a packet is shown after.

Code:
work:
388	
2007-12-06 15:30:50.050948	
YYY.YYY.YYY.YYY	XXX.XXX.XXX.XXX	
TCP	33028 > http [SYN] Seq=0 Len=0 MSS=1460 TSV=97922341 TSER=0 WS=6

server:
12/06-15:30:50.062572 0:D:72:1E:10:F9 -> 0:1:3:69:44:AF type:0x800 len:0x4A
YYY.YYY.YYY.YYY:33028 -> XXX.XXX.XXX.XXX:80 TCP TTL:53 TOS:0x0 ID:23969 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF7467084  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 97922341 0 NOP WS: 6

12/06-15:30:50.062600 0:1:3:69:44:AF -> 0:D:72:1E:10:F9 type:0x800 len:0x4A
XXX.XXX.XXX.XXX:80 -> YYY.YYY.YYY.YYY:33028 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xE32982FD  Ack: 0xF7467085  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4071114589 97922341 NOP
TCP Options => WS: 7

work:
no such packet

------------

work:
900	
2007-12-06 15:31:20.044749	
XXX.XXX.XXX.XXX	YYY.YYY.YYY.YYY	
TCP	http > 33028 [RST] Seq=0 Len=0

home server:
no such packet

------------

work:
1131	
2007-12-06 15:31:35.050804	
YYY.YYY.YYY.YYY	XXX.XXX.XXX.XXX	
TCP	33028 > http [SYN] Seq=0 Len=0 MSS=1460 TSV=97967341 TSER=0 WS=6

home server:
12/06-15:31:35.060509 0:D:72:1E:10:F9 -> 0:1:3:69:44:AF type:0x800 len:0x4A
YYY.YYY.YYY.YYY:33028 -> XXX.XXX.XXX.XXX:80 TCP TTL:53 TOS:0x0 ID:23973 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF7467084  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 97967341 0 NOP WS: 6

12/06-15:31:35.060540 0:1:3:69:44:AF -> 0:D:72:1E:10:F9 type:0x800 len:0x4A
XXX.XXX.XXX.XXX:80 -> YYY.YYY.YYY.YYY:33028 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x5D3FB13D  Ack: 0xF7467085  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4071159587 97967341 NOP
TCP Options => WS: 7

work:
no such packet

Now, up to this point, allegations have been that Comcast is sending resets on p2p traffic.  However, I'm seeing this on ALL requests to my server now...web, mail, you name it.  It's like they've blocked me for no good reason.
Report Spam   Logged

Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by EzPortal
eXTReMe Tracker
Security Forum
Bookmark this site! | Upgrade This Forum
SMF For Free - Create your own Forum


Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.02 seconds with 10 queries.