Security Incidents mailing list archives
RE: Localhost packets on WAN
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 30 Sep 2004 16:39:30 -0500
On Thu, 2004-09-30 at 10:00, NESTING, DAVID M (SBCSI) wrote:
Frequently, when the source port is 80 and the destination port is "ephemeral", I find problems like this are usually caused by buggy or misconfigured load balancers in front of a web site. Some load balancers get your packet to the physical server by doing tricks with the network stack.
Good thought, could be. But this is easy to test. Just run tcpdump and sniff for those source IP and ephemeral ports (guess a range in advance is all is NATed to one IP). If you do see those leaving your network to some web site, then your theory applies. But if you don't see any such packets originating from your network, then these incoming packets are responses to spoofed packets. "Hanson's Blaster Theorem" applies :) (Of course it could be just someone sending crafted packets your way to keep you busy chasing a ghost.... make sure you don't have a security assessment or penetration test scheduled on your premises when those Internet flukes appear :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Localhost packets on WAN Kirby Angell (Sep 29)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)
- RE: Localhost packets on WAN spainsecurity-s.navarro (Sep 30)
- RE: Localhost packets on WAN David Gillett (Sep 30)
- Re: Localhost packets on WAN Frank Knobbe (Sep 30)
- Re: Localhost packets on WAN Kirby Angell (Sep 30)
- <Possible follow-ups>
- RE: Localhost packets on WAN NESTING, DAVID M (SBCSI) (Sep 30)
- RE: Localhost packets on WAN Frank Knobbe (Sep 30)
- RE: Localhost packets on WAN James C Slora Jr (Sep 30)