fake IP addresses being generated on android phone
I've been getting some alerts from different layers of firewall I run.
When I finally got to the bottom it was two android phones. They are attempting to send requests OUT but are quoting a SRC address which while plausible, cannot exist on my networks. So far I've seen it try to contact twitter and the android market .. NB this is NOT somebody using twitter, as that goes out with the correct SRC address. Now it strikes me if I ran a simpler firewall regime these would get out and come back and assuming the phone was in promiscuous mode it could catch the reply but any attempt to trace it back to source would be thwarted. Using twitter to post the info means the final server need not reveal itself ... has anybody seen this before? The SRC addresses used change say about once per hour. PS They do not appear in the APR table either.
|