> Over the past 2 weeks we've started to recieved some pretty > strange traffic which has been stopped at our border. The > $TARGET host in each case is the same. > > Q. Has anyone seen anything like this? Any thoughts?? > Aug 22 16:42:04 8/0/icmp $TARGET <- 204.71.128.148 98 > Aug 22 16:42:06 8/0/icmp $TARGET <- 204.71.128.148 98 > Aug 22 16:42:15 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn > Aug 22 16:42:20 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn > Aug 22 16:42:25 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn > Aug 22 16:42:30 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn > Aug 22 16:42:35 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn What is $target? A firewall or web proxy? This looks suspiciously like the RTT measuring traffic I was getting from an http load balancing device (F5 BigIP in my case). hth, TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 08:10:15 PDT