Re: What's going on here?
From: Mark (mark@uniontown.com)Date: 08/28/02
- Previous message: Joe Kellner: "Re: 2002/udp flood"
- In reply to: Russell Fulton: "RE: What's going on here?"
- Next in thread: wykkyd@ziplip.com: "Re: What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark" <mark@uniontown.com> To: "Russell Fulton" <r.fulton@auckland.ac.nz>, "Yonatan Bokovza" <Yonatan@xpert.com> Date: Wed, 28 Aug 2002 13:34:23 -0400
Don't know if this was mentioned, haven't been following the whole thread,
but my suggestion would be that it's someone who physically resides in your
upstream path portscanning, using source port 80 to fool misconfigured
non-stateful ACLs into thinking that these are replies to normal web
traffic, but using Syn only to catch valid open TCP ports.
-Mark C.
----- Original Message -----
From: "Russell Fulton" <r.fulton@auckland.ac.nz>
To: "Yonatan Bokovza" <Yonatan@xpert.com>
Cc: "'Jackie'" <JackieJ@Syllables.com>; <incidents@securityfocus.com>
Sent: Monday, August 26, 2002 10:57 PM
Subject: RE: What's going on here?
> On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
> > > -----Original Message-----
> > > From: Jackie [mailto:JackieJ@Syllables.com]
> > > Sent: Saturday, August 24, 2002 02:57
> > > To: incidents@securityfocus.com
> > > Subject: What's going on here?
> > >
> > >
> > > ZoneAlarm reported this burst, all from port 80 on a reserved IP
> > > block. What the honk's going on?
> > >
> > >
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
> >
> > Someone is scanning a victim that's in reserved address-space,
> > giving your address as decoy.
> >
>
> Ummm... I don't think so, in that case the flags would be SA not S.
> These appear to be SYN packets sent from port 80 to random port numbers.
>
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
>
> "It aint necessarily so" - Gershwin
>
>
> --------------------------------------------------------------------------
-- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Joe Kellner: "Re: 2002/udp flood"
- In reply to: Russell Fulton: "RE: What's going on here?"
- Next in thread: wykkyd@ziplip.com: "Re: What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
