Security Incidents mailing list archives

Re: Strange traffic

From: "Todd Ransom" <transom () extremelogic com>
Date: Thu, 6 Sep 2001 09:49:40 -0400

Over the past 2 weeks we've started to recieved some pretty
strange traffic which has been stopped at our border. The
$TARGET host in each case is the same.

Q. Has anyone seen anything like this? Any thoughts??

Aug 22 16:42:04 8/0/icmp $TARGET <- 204.71.128.148 98
Aug 22 16:42:06 8/0/icmp $TARGET <- 204.71.128.148 98
Aug 22 16:42:15 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn
Aug 22 16:42:20 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn
Aug 22 16:42:25 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn
Aug 22 16:42:30 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn
Aug 22 16:42:35 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn


What is $target?  A firewall or web proxy?  This looks suspiciously like the
RTT measuring traffic I was getting from an http load balancing device (F5
BigIP in my case).

hth,
TR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange traffic auto230111 (Sep 05)
- Re: Strange traffic Todd Ransom (Sep 06)
- <Possible follow-ups>
- Re: Strange traffic Jens Hektor (Sep 06)