Traffic from microsoft.com ?

From: Peter Bates (Peter.Batesat_private)
Date: Sun Jul 01 2001 - 06:01:22 PDT

  • Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"

    Hello all...
    
    I'd just be curious if anyone else saw a similar sort of
    behaviour recently...
    
    I was dealing with an unrelated problem at the time,
    and happened to observe our firewall logs during this period...
    
    From 02:17 (GMT) to 02:26, our firewall logged 399
    examples of traffic from 'microsoft.com' (the log had DNS lookup
    applied, but I can see from the raw logs that these were various
    machines, mostly 207.46.x.x) to most of our hosts here.
    
    The traffic always has a source port of 80, and dst port
    around the 1024-1200 range, pretty symptomatic of normal
    web-browsing...
    
    What was odd, of course, is the timing (hardly anyone would have been
    here) and the inclusion of machines that I pretty much know were either
    a) turned off b) non-Windows servers ...
    
    Was this just the sign of a big spoofed scan, but if so, how come I can't see
    any indication of an IP address that doesn't resolve to microsoft.com?
    
    ...
    
    
    -------------------------------------------------------------------------------------------------------------------->
    Peter Bates, Systems Support Officer, Network Support Team.
    London School of Hygiene & Tropical Medicine.
    Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 11:03:08 PDT