Snort mailing list archives
Re: Help! Very wierd traffic.
From: Yonah Russ <yonah () jct ac il>
Date: 20 Feb 2003 08:36:21 +0200
Thanks for the suggestions so far. I was trying to figure it out in the meantime and I came across the radware linkproof device. Its some sort of load balancing device which will balance load across a multihomed network. see: http://www.sans.org/y2k/031401.htm specifically the following quote (so google will show this answer for the next guy):
(John Benninghoff)
SANS/GIAC: Recently, I was contacted by a sysadmin who was investigating the "37852 UDP portscan." He forwarded me an explanation from the owner of the IP address that sent the UDP 37852 packets:
This IP address corresponds to our Load Balancing/Fault Tolerance equipment: Radware Linkproof. It is not at all a scan or whatever. The Linkproof is the only other alternative (of BGP4 and Autonomous System) when you have multi-homing of Internet accesses. The Linkproof tries to calculate the best route (in terms of load and response time) to a target server. To do that the Linkproof sends a SYN or ICMP or a UDP packet in all Internet links to the same target and direct the next steps of the connection to the link that is the best route considered by its algorithm. Of course it has a table of targets so that it does not do this process for all outbound requests and refreshes its tables regularly. So you should not at all consider this as a scan, an attack or whatever.
This corresponds well to the data I have. A typical "scan" includes a udp packet followed by an ICMP echo request, then TCP ACK, TCP SYN, TCP RST, normally directed at our name server:
sorry to bother you guys. thanks again. yonah ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard woes Joerg Weber (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 18)
- Re: Barnyard woes Paul Schmehl (Feb 18)
- Re: Barnyard woes Andrew R. Baker (Feb 18)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Andrew R. Baker (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Matt Kettler (Feb 19)
- Re: Help! Very wierd traffic. Yonah Russ (Feb 19)
- Re: Help! Very wierd traffic. Frank Knobbe (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 19)
- Re: Barnyard woes Ken Gunderson (Feb 18)