RE: Localhost packets on WAN
From: Frank Knobbe (frank_at_knobbe.us)
Date: 09/30/04
- Next in thread: David Gillett: "RE: Localhost packets on WAN"
- Maybe reply: David Gillett: "RE: Localhost packets on WAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com> Date: Thu, 30 Sep 2004 16:39:30 -0500
On Thu, 2004-09-30 at 10:00, NESTING, DAVID M (SBCSI) wrote:
> Frequently, when the source port is 80 and the destination port is
> "ephemeral", I find problems like this are usually caused by buggy or
> misconfigured load balancers in front of a web site. Some load
> balancers get your packet to the physical server by doing tricks with
> the network stack.
Good thought, could be. But this is easy to test. Just run tcpdump and
sniff for those source IP and ephemeral ports (guess a range in advance
is all is NATed to one IP). If you do see those leaving your network to
some web site, then your theory applies. But if you don't see any such
packets originating from your network, then these incoming packets are
responses to spoofed packets. "Hanson's Blaster Theorem" applies :)
(Of course it could be just someone sending crafted packets your way to
keep you busy chasing a ghost.... make sure you don't have a security
assessment or penetration test scheduled on your premises when those
Internet flukes appear :)
Cheers,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Next in thread: David Gillett: "RE: Localhost packets on WAN"
- Maybe reply: David Gillett: "RE: Localhost packets on WAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
