Security Basics mailing list archives
RE: Tons of Source port 80 to random Dest Port Traffic
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 22 May 2006 10:15:30 -0700
I see that all the time, mostly SYN-ACK packets (i.e., looks like a response from a server to a machine on my network, except where's the SYN from my net?). Possibility 1: Remote servers are under SYN-flood attack using spoofed source addresses. Since your address was spoofed, you get the attacked server's reesponse attempt(s). Possibility 2: I have occasionally seen IE appear to get fooled by this, and enter into a TCP session that it didn't really initiate. This might be an attack verctor against other IE bugs. David Gillett
-----Original Message----- From: thayden () gmail com [mailto:thayden () gmail com] On Behalf Of Tom Hayden Sent: Thursday, May 18, 2006 8:03 AM To: security-basics () securityfocus com Subject: Tons of Source port 80 to random Dest Port Traffic Attached is a quick short summary of traffic my server ( xx.xx.xx.xx ) has been bombarded with lately. It's a short dump from tethereal. I can't seem to figure it out - just tons and tons of traffic coming from a source port of 80 to seemingly random dest. ports. Can someone help me identify this? Thanks! -- Tom
Current thread:
- Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 20)
- Re: Tons of Source port 80 to random Dest Port Traffic Mathew Benwell (May 23)
- Message not available
- Re: Tons of Source port 80 to random Dest Port Traffic Tom Hayden (May 23)
- RE: Tons of Source port 80 to random Dest Port Traffic David Gillett (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic ilaiy (May 23)
- Re: Tons of Source port 80 to random Dest Port Traffic Deapesh Misra (May 29)
- <Possible follow-ups>
- Re: Tons of Source port 80 to random Dest Port Traffic tico . wu (May 23)
- Re: Re: Tons of Source port 80 to random Dest Port Traffic rcarlin (May 23)
- Re: Re: Re: Tons of Source port 80 to random Dest Port Traffic terence . cornelius (May 30)