RE: Weird Incoming IP's and port numbers.

From: NESTING, DAVID M (SBCSI) (dn3723at_private)
Date: Wed Aug 29 2001 - 08:43:44 PDT

Next message: H C: "Re: nbsession scans"

Previous message: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"
Maybe in reply to: West P.: "Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I missed the part in the original message where you noted that these were
connection attempts.  How are you determining that these are full connection
attempts?  It seems odd that anybody would connect *to* incrementing
high-numbered ports *from* a standard HTTP service port.  This behavior is
more consistent with an *outbound* connection attempt (thus the increasing
local port numbers) to a HTTP port.  I'm thinking something like this is
what is occurring (from your point of view, assuming your IP is 10.0.0.1 and
you are attempting to connect to 10.1.1.1 on the public Internet):

you                     them     (   nat        )
10.0.0.1  -> SYN     -> 10.1.1.1 (-> 192.168.1.8)
10.0.0.1  <- SYN+ACK <- 192.168.1.8
   (bad packet from 192.168.1.8, dropped/logged/whatever)
   (timeout waiting on SYN+ACK from 10.1.1.1)

When you should (and eventually do) see:

you                     them     (   nat        )
10.0.0.1  -> SYN     -> 10.1.1.1 (-> 192.168.1.9)
10.0.0.1  <- SYN+ACK <- 10.1.1.1 (<- 192.168.1.9)
10.0.0.1  -> ACK     -> 10.1.1.1 (-> 192.168.1.9)
   (Normal HTTP session proceeds)

Note that I have seen this exact behavior, with these symptoms, in the past.
I'm not saying *your* NAT is at fault; *their* NAT is.

It's also possible that your system/firewall is seeing the inbound SYN+ACK
and is treating it as the first part of a connection handshake, leading it
(and you) to believe it's a legitimate inbound connection request, instead
of just a goofed up reply to your own outbound connection.

I might try capturing outbound port 80 traffic and see if you can correlate
the two.

David

-----Original Message-----
From: West P. [mailto:god-adminat_private]
Sent: Monday, August 27, 2001 20:52
To: West P.; incidentsat_private
Subject: Re: Weird Incoming IP's and port numbers.

So if the answer lies as a badly configured HTTP server farm wouldn't others
be getting the same requests?  (Im sure there are other users that have the
same setup using AIM and MSN)

Another suggestion was that my NAT wasn't blocking it as it should.  If this
is the case, how is the person connecting to me with 192.168.1.x address?
Wouldn't it be their NAT that wasn't changing their internal IP back to
their external IP?

S

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: nbsession scans"
Previous message: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"
Maybe in reply to: West P.: "Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 10:27:01 PDT