Re: Advice sought

[John Lampe <j_lampe () BELLSOUTH NET>]

> On Tue, 27 Feb 2001, John Lampe wrote:
>
> > What are the chances that several computers on a network all made
> > connections to the same external IP, using the same src port?
>
> High, if the protocol is DNS. Many will use 53 as a source, and
> they will all want to go talk to the root servers.  However...

Yep, but the observed dropped packets were HTTP FIN/ACK packets destined for
multiple internal hosts on port 3967.  I would think that either
1) the firewall is screwing up and PAT'ing outbound web requests to the same
src port (3967 in this instance)
2) the FIN/ACK packets were never a part of a legitimate connection and the
tool used to scan is too stupid to randomize it's dst port
3) for whatever reason, the internal computers all seem to be using the same
src port (doubtful), and the firewall is either not PAT'ing, or some 1-1
mapping relationship exists between the true internal src port, and the
translated port.

At any rate, all the dropped packets seem to be coming from the same
Internet host.  So I'd lean toward number 2 above...but I'm paranoid :-)


John Lampe