Re: Logs: Many hits with source port of 80

From: Joe Stewart (jstewart@lurhq.com)
Date: 12/16/02

  • Next message: Matt Zimmerman: "Re: DNS help"
    From: Joe Stewart <jstewart@lurhq.com>
    To: "Byrne Ghavalas" <security@nscs.uk.com>
    Date: Mon, 16 Dec 2002 10:27:32 -0500
    
    

    On Friday 13 December 2002 05:05 am, Byrne Ghavalas wrote:
    > Hi All,
    >
    > Has anyone else noticed a high number of hits in their security logs,
    > where the source port is set to tcp 80 and the destination port is some
    > high tcp port? I have noticed that these events seem to be getting more
    > numerous than the NetBios scans ;-)
    >
    > For example:
    > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
    > 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
    > 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439

    Hi,

    Whenever I get a source-port-80-to-high-port scan I suspect network
    misconfiguration/lost state connection on the firewall. (Never attribute
    to malice that which can be adequately explained by stupidity) An easy
    way to check is telnet to port 80 on the source host. In this case:

    [test@test test]$ telnet 194.78.225.36 80
    Trying 194.78.225.36...
    Connected to 194.78.225.36 (194.78.225.36).
    Escape character is '^]'.
    GET / HTTP/1.0

    HTTP/1.1 505 HTTP Version not supported
    Date: Mon, 16 Dec 2002 15:03:11 GMT
    Content-Length: 215
    Content-Type: text/html
    Server: Footprint Distributor V2.0
    Connection: close

    <HTML><HEAD>
    <TITLE>505 HTTP Version Not Supported</TITLE>
    <BODY><H1>HTTP Version Not Supported</H1>
    The requested URL, "http://194.78.225.36:8808/", cannot be accessed using your
    current browser.<P>
    </BODY></HTML>
    Connection closed by foreign host.

    Hmm. "Footprint Distributor V2.0". Sounds like a load balancer. Some Googling
    turns up a product called "Footprint" from a company called Sandpiper that
    does distributed content caching. Lets see if they actually use the product to
    serve their own website:

    [test@test test]$ telnet www.sandpiper.net 80
    Trying 63.208.96.131...
    Connected to unknown.Level3.net (63.208.96.131).
    Escape character is '^]'.
    GET / HTTP/1.1
    HTTP/1.0 408 Request Time-out
    Server: Footprint 2.0/FPMCP
    Mime-Version: 1.0
    Date: Mon, 16 Dec 2002 15:15:19 GMT
    Content-Type: text/html
    Content-Length: 653
    Expires: Mon, 16 Dec 2002 15:15:19 GMT

    Suspicion confirmed. My guess is that the probes you are getting are reply
    SYN-ACK packets from a webserver you are trying to visit. They have somehow
    misconfigured the load balancer and the replies are coming from the wrong IP
    address, so your firewall sees them as an entirely different connection and
    drops the packets.

    -Joe

    -- 
       Joe Stewart  <jstewart@lurhq.com>
      Senior Information Security Analyst 
    -----------------------------------------
     "24x7 Enterprise Security Monitoring"
    LURHQ Corporation  http://www.lurhq.com/
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com