Firewall Wizards mailing list archives
Re: Port 788 (Was: hitting the "on" switch)
From: Dave Roberts <dave.roberts () saaconsultants com>
Date: Fri, 19 Sep 1997 11:58:46 +0100 (BST)
On Thu, 18 Sep 1997, Kees Hendrikse wrote:
I'm puzzled by the following log entries from my Cisco (edited): Sep 3 21:46:13 tcp A.B.C.D(788) -> Z.Z.Z.116(2148), 1 packet In July and August only A.B.C.D was sending these packets; now I have two of them. Any ideas what these guys are trying to do? As far as I know, there are no well-known services using port 788. By the way, Z.Z.Z.116 has never been in active use.
Sounds more like someone is using Z.Z.Z.116 as a source address for spoofed packets. Some "bad person" is attacking 788 on A.B.C.D, using an address in your space, and you're seeing the reply (SYN|ACK) from the remote site - hence the "random" port number for your "machine". Anyone know how to get CISCO's to log the TCP flags? I can't get mine to do it either. IOS 11.1 if you please :) Without the flags, some of those log entries get mighty confusing. -- Dave Roberts For PGP Key - send mail with subject of 'get pgp':- SAA Consultants Ltd < 51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C> Plymouth, UK Telephone: +44 1752 606000 Fax: +44 1752 606838
Current thread:
- Port 788 (Was: hitting the "on" switch) Kees Hendrikse (Sep 18)
- Re: Port 788 (Was: hitting the "on" switch) Dave Roberts (Sep 19)
- Re: Port 788 (Was: hitting the "on" switch) BVE (Sep 19)
- <Possible follow-ups>
- RE: Port 788 (Was: hitting the "on" switch) Giesinger, Nick HE0 (Sep 19)