I missed the part in the original message where you noted that these were connection attempts. How are you determining that these are full connection attempts? It seems odd that anybody would connect *to* incrementing high-numbered ports *from* a standard HTTP service port. This behavior is more consistent with an *outbound* connection attempt (thus the increasing local port numbers) to a HTTP port. I'm thinking something like this is what is occurring (from your point of view, assuming your IP is 10.0.0.1 and you are attempting to connect to 10.1.1.1 on the public Internet): you them ( nat ) 10.0.0.1 -> SYN -> 10.1.1.1 (-> 192.168.1.8) 10.0.0.1 <- SYN+ACK <- 192.168.1.8 (bad packet from 192.168.1.8, dropped/logged/whatever) (timeout waiting on SYN+ACK from 10.1.1.1) When you should (and eventually do) see: you them ( nat ) 10.0.0.1 -> SYN -> 10.1.1.1 (-> 192.168.1.9) 10.0.0.1 <- SYN+ACK <- 10.1.1.1 (<- 192.168.1.9) 10.0.0.1 -> ACK -> 10.1.1.1 (-> 192.168.1.9) (Normal HTTP session proceeds) Note that I have seen this exact behavior, with these symptoms, in the past. I'm not saying *your* NAT is at fault; *their* NAT is. It's also possible that your system/firewall is seeing the inbound SYN+ACK and is treating it as the first part of a connection handshake, leading it (and you) to believe it's a legitimate inbound connection request, instead of just a goofed up reply to your own outbound connection. I might try capturing outbound port 80 traffic and see if you can correlate the two. David -----Original Message----- From: West P. [mailto:god-adminat_private] Sent: Monday, August 27, 2001 20:52 To: West P.; incidentsat_private Subject: Re: Weird Incoming IP's and port numbers. So if the answer lies as a badly configured HTTP server farm wouldn't others be getting the same requests? (Im sure there are other users that have the same setup using AIM and MSN) Another suggestion was that my NAT wasn't blocking it as it should. If this is the case, how is the person connecting to me with 192.168.1.x address? Wouldn't it be their NAT that wasn't changing their internal IP back to their external IP? S ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 10:27:01 PDT