Re: What's going on here?

From: Mark (markat_private)
Date: Wed Aug 28 2002 - 10:34:23 PDT

Next message: Adam Bultman: "Bots hitting my web server?"

Previous message: Joe Kellner: "Re: 2002/udp flood"
In reply to: Russell Fulton: "RE: What's going on here?"
Next in thread: wykkydat_private: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don't know if this was mentioned, haven't been following the whole thread,
but my suggestion would be that it's someone who physically resides in your
upstream path portscanning, using source port 80 to fool misconfigured
non-stateful ACLs into thinking that these are replies to normal web
traffic, but using Syn only to catch valid open TCP ports.

-Mark C.

----- Original Message -----
From: "Russell Fulton" <r.fultonat_private>
To: "Yonatan Bokovza" <Yonatanat_private>
Cc: "'Jackie'" <JackieJat_private>; <incidentsat_private>
Sent: Monday, August 26, 2002 10:57 PM
Subject: RE: What's going on here?


> On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:
> > > -----Original Message-----
> > > From: Jackie [mailto:JackieJat_private]
> > > Sent: Saturday, August 24, 2002 02:57
> > > To: incidentsat_private
> > > Subject: What's going on here?
> > >
> > >
> > > ZoneAlarm reported this burst, all from port 80 on a reserved IP
> > > block. What the honk's going on?
> > >
> > >
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S)
> > > FWIN,2002/08/23,18:47:42 -4:00
> > > GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)
> >
> > Someone is scanning a victim that's in reserved address-space,
> > giving your address as decoy.
> >
>
> Ummm... I don't think so, in that case the flags would be SA not S.
> These appear to be SYN packets sent from port 80 to random port numbers.
>
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>
> "It aint necessarily so"  - Gershwin
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Adam Bultman: "Bots hitting my web server?"
Previous message: Joe Kellner: "Re: 2002/udp flood"
In reply to: Russell Fulton: "RE: What's going on here?"
Next in thread: wykkydat_private: "Re: What's going on here?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 13:26:11 PDT