On Fri, 2002-12-13 at 23:05, Byrne Ghavalas wrote: > Hi All, > > Has anyone else noticed a high number of hits in their security logs, > where the source port is set to tcp 80 and the destination port is some > high tcp port? I have noticed that these events seem to be getting more > numerous than the NetBios scans ;-) > > For example: > 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439 > 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439 I've seen this sort of thing for years and have tracked it back to content switches and load balancers the don't quite work some of the time. The sort of thing that happens is that the switch and the back end web server get out of synch some how and you get odd RST or ACK packets being sent back to the client up to 5 minutes after the actual session has finished. If you were running Argus <www.qosient.com> and thus had a complete audit trail off your traffic then you would be able to see the original out bound sessions to 194.78.225.36:80 and then the belated ACK, FIN or RST coming in with the same port numbers -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:21:14 PST