Don't know if this was mentioned, haven't been following the whole thread, but my suggestion would be that it's someone who physically resides in your upstream path portscanning, using source port 80 to fool misconfigured non-stateful ACLs into thinking that these are replies to normal web traffic, but using Syn only to catch valid open TCP ports. -Mark C. ----- Original Message ----- From: "Russell Fulton" <r.fultonat_private> To: "Yonatan Bokovza" <Yonatanat_private> Cc: "'Jackie'" <JackieJat_private>; <incidentsat_private> Sent: Monday, August 26, 2002 10:57 PM Subject: RE: What's going on here? > On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote: > > > -----Original Message----- > > > From: Jackie [mailto:JackieJat_private] > > > Sent: Saturday, August 24, 2002 02:57 > > > To: incidentsat_private > > > Subject: What's going on here? > > > > > > > > > ZoneAlarm reported this burst, all from port 80 on a reserved IP > > > block. What the honk's going on? > > > > > > > > > FWIN,2002/08/23,18:47:42 -4:00 > > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S) > > > FWIN,2002/08/23,18:47:42 -4:00 > > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S) > > > > Someone is scanning a victim that's in reserved address-space, > > giving your address as decoy. > > > > Ummm... I don't think so, in that case the flags would be SA not S. > These appear to be SYN packets sent from port 80 to random port numbers. > > -- > Russell Fulton, Computer and Network Security Officer > The University of Auckland, New Zealand > > "It aint necessarily so" - Gershwin > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 13:26:11 PDT