Traffic from microsoft.com ?

[Peter Bates <Peter.Bates () lshtm ac uk>]

Hello all...

I'd just be curious if anyone else saw a similar sort of
behaviour recently...

I was dealing with an unrelated problem at the time,
and happened to observe our firewall logs during this period...

> From 02:17 (GMT) to 02:26, our firewall logged 399
examples of traffic from 'microsoft.com' (the log had DNS lookup
applied, but I can see from the raw logs that these were various
machines, mostly 207.46.x.x) to most of our hosts here.

The traffic always has a source port of 80, and dst port
around the 1024-1200 range, pretty symptomatic of normal
web-browsing...

What was odd, of course, is the timing (hardly anyone would have been
here) and the inclusion of machines that I pretty much know were either
a) turned off b) non-Windows servers ...

Was this just the sign of a big spoofed scan, but if so, how come I can't see
any indication of an IP address that doesn't resolve to microsoft.com?

...


-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com