Security Incidents mailing list archives
Re: Advice sought
From: John Lampe <j_lampe () BELLSOUTH NET>
Date: Tue, 27 Feb 2001 13:55:32 -0000
On Tue, 27 Feb 2001, John Lampe wrote:What are the chances that several computers on a network all made connections to the same external IP, using the same src port?High, if the protocol is DNS. Many will use 53 as a source, and they will all want to go talk to the root servers. However...
Yep, but the observed dropped packets were HTTP FIN/ACK packets destined for multiple internal hosts on port 3967. I would think that either 1) the firewall is screwing up and PAT'ing outbound web requests to the same src port (3967 in this instance) 2) the FIN/ACK packets were never a part of a legitimate connection and the tool used to scan is too stupid to randomize it's dst port 3) for whatever reason, the internal computers all seem to be using the same src port (doubtful), and the firewall is either not PAT'ing, or some 1-1 mapping relationship exists between the true internal src port, and the translated port. At any rate, all the dropped packets seem to be coming from the same Internet host. So I'd lean toward number 2 above...but I'm paranoid :-) John Lampe
Current thread:
- Advice sought Mike Alexander (Feb 26)
- Re: Advice sought Russell Fulton (Feb 27)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Ryan Russell (Feb 27)
- Re: Advice sought John Lampe (Feb 28)
- Re: Advice sought John Lampe (Feb 27)
- Re: Advice sought Russell Fulton (Feb 27)