Security Incidents mailing list archives
RE: Reverse http traffic
From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Mon, 5 Jan 2004 11:50:11 -0600
I checked the firewall logs and saw quite a few attempts from a Google IP address (whois-ed, but I'm not ignoring that it was possibly spoofed) that was sending IN traffic with a source port of 80 and a destination port in the temporary range (33xx) - eh???
How are you determining that this is traffic initiated by the Google IP address? Could this be inbound, but RETURN traffic from a standard HTTP request initiated by one of your clients? It's possible firewall rules are set too strictly for that client's IP address (perhaps the firewall IP address ranges do not match DHCP address ranges), allowing outbound TCP packets but blocking (and logging) the responses. Just a thought. Good luck. David --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Reverse http traffic Just1n T1mberlake (Jan 01)
- <Possible follow-ups>
- RE: Reverse http traffic NESTING, DAVID M (SBCSI) (Jan 05)