Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Reverse http traffic

From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Mon, 5 Jan 2004 11:50:11 -0600 
I checked the firewall logs and saw quite a few attempts from a Google
IP address (whois-ed, but I'm not ignoring that it was possibly spoofed)
that was sending IN traffic with a source port of 80 and a destination
port in the temporary range (33xx) - eh???


How are you determining that this is traffic initiated by the Google IP
address?  Could this be inbound, but RETURN traffic from a standard HTTP
request initiated by one of your clients?

It's possible firewall rules are set too strictly for that client's IP
address (perhaps the firewall IP address ranges do not match DHCP address
ranges), allowing outbound TCP packets but blocking (and logging) the
responses.

Just a thought.  Good luck.

David

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: