Re: Port 788 (Was: hitting the "on" switch)

[Dave Roberts <dave.roberts () saaconsultants com>]

On Thu, 18 Sep 1997, Kees Hendrikse wrote:

> I'm puzzled by the following log entries from my Cisco (edited):
>
> Sep  3 21:46:13 tcp A.B.C.D(788) -> Z.Z.Z.116(2148), 1 packet
>
> In July and August only A.B.C.D was sending these packets; now I have
> two of them. Any ideas what these guys are trying to do? As far as I
> know, there are no well-known services using port 788.
> By the way, Z.Z.Z.116 has never been in active use.

Sounds more like someone is using Z.Z.Z.116 as a source address for
spoofed packets.  Some "bad person" is attacking 788 on A.B.C.D, using
an address in your space, and you're seeing the reply (SYN|ACK) from the
remote site - hence the "random" port number for your "machine".

Anyone know how to get CISCO's to log the TCP flags?  I can't get mine to
do it either.  IOS 11.1 if you please :)   Without the flags, some of
those log entries get mighty confusing.

--
Dave Roberts         For PGP Key - send mail with subject of 'get pgp':-
SAA Consultants Ltd  < 51 4B 6A 35 3F C4 B6 3D  13 88 0C B2 48 61 51 1C>
Plymouth, UK         Telephone: +44 1752 606000      Fax: +44 1752 606838