Security Incidents mailing list archives
RE: UDP Port Sweep question
From: Benjamin Franz <snowhare () nihongo org>
Date: Wed, 29 Dec 2004 12:11:21 -0800 (PST)
On Wed, 29 Dec 2004, Billy Dodson wrote:
Here is some more info regarding the port sweeps. The port the client is being hit on seems to vary. The client is being hit on the same 8 port range from each IP port 33434-33460. All 3 sensors from the 3 different clients show the same destination port range. The sensors are cisco IDS sensors and I am unsure as to how to get the actual packet from the event.
That port range smells like traceroutes. I've seen a lot of that kind of traffic to nameservers, mail servers and HTTP proxies. It often originates from load balancing DNS systems and other such things.
-- Benjamin Franz "All right, where is the answer? The battle of wits has begun. It ends when you click and we both serve pages - and find out who is right, and who is slashdotted." - David Brandt
Current thread:
- UDP Port Sweep question Billy Dodson (Dec 28)
- Re: UDP Port Sweep question Tim (Dec 29)
- Re: UDP Port Sweep question Kyle Maxwell (Dec 29)
- Re: UDP Port Sweep question Ron (Dec 29)
- <Possible follow-ups>
- Re: UDP Port Sweep question Don Parker (Dec 29)
- RE: UDP Port Sweep question Billy Dodson (Dec 29)
- RE: UDP Port Sweep question David Gillett (Dec 29)
- Re: UDP Port Sweep question Tim (Dec 29)
- RE: UDP Port Sweep question Jack McCarthy (Dec 29)
- RE: UDP Port Sweep question Benjamin Franz (Dec 29)
- RE: UDP Port Sweep question Colby DeRodeff (Dec 29)
- Re: UDP Port Sweep question Francesca Smith (Dec 30)