Security Incidents mailing list archives
Re: What's going on here?
From: "Mark" <mark () uniontown com>
Date: Wed, 28 Aug 2002 13:34:23 -0400
Don't know if this was mentioned, haven't been following the whole thread, but my suggestion would be that it's someone who physically resides in your upstream path portscanning, using source port 80 to fool misconfigured non-stateful ACLs into thinking that these are replies to normal web traffic, but using Syn only to catch valid open TCP ports. -Mark C. ----- Original Message ----- From: "Russell Fulton" <r.fulton () auckland ac nz> To: "Yonatan Bokovza" <Yonatan () xpert com> Cc: "'Jackie'" <JackieJ () Syllables com>; <incidents () securityfocus com> Sent: Monday, August 26, 2002 10:57 PM Subject: RE: What's going on here?
On Tue, 2002-08-27 at 03:54, Yonatan Bokovza wrote:-----Original Message----- From: Jackie [mailto:JackieJ () Syllables com] Sent: Saturday, August 24, 2002 02:57 To: incidents () securityfocus com Subject: What's going on here? ZoneAlarm reported this burst, all from port 80 on a reserved IP block. What the honk's going on? FWIN,2002/08/23,18:47:42 -4:00 GMT,10.60.1.102:80,xxx.xx.96.7:9176,TCP (flags:S) FWIN,2002/08/23,18:47:42 -4:00 GMT,10.10.2.105:80,xxx.xx.96.7:13682,TCP (flags:S)Someone is scanning a victim that's in reserved address-space, giving your address as decoy.Ummm... I don't think so, in that case the flags would be SA not S. These appear to be SYN packets sent from port 80 to random port numbers. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What's going on here? Jackie (Aug 26)
- <Possible follow-ups>
- RE: What's going on here? Yonatan Bokovza (Aug 26)
- RE: What's going on here? Russell Fulton (Aug 27)
- RE: What's going on here? Hugo van der Kooij (Aug 28)
- Re: What's going on here? Mark (Aug 28)
- RE: What's going on here? Russell Fulton (Aug 27)
- RE: What's going on here? NESTING, DAVID M (SBCSI) (Aug 26)
- Re: What's going on here? wykkyd (Aug 26)
- Re: What's going on here? wykkyd (Aug 29)