Security Incidents mailing list archives
Re: Strange traffic
From: "Todd Ransom" <transom () extremelogic com>
Date: Thu, 6 Sep 2001 09:49:40 -0400
Over the past 2 weeks we've started to recieved some pretty strange traffic which has been stopped at our border. The $TARGET host in each case is the same. Q. Has anyone seen anything like this? Any thoughts??
Aug 22 16:42:04 8/0/icmp $TARGET <- 204.71.128.148 98 Aug 22 16:42:06 8/0/icmp $TARGET <- 204.71.128.148 98 Aug 22 16:42:15 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn Aug 22 16:42:20 tcp $TARGET;22 <- 204.71.128.148;1024 54 syn Aug 22 16:42:25 tcp $TARGET;53 <- 204.71.128.148;1024 54 syn Aug 22 16:42:30 tcp $TARGET;123 <- 204.71.128.148;1024 54 syn Aug 22 16:42:35 tcp $TARGET;113 <- 204.71.128.148;1024 54 syn
What is $target? A firewall or web proxy? This looks suspiciously like the RTT measuring traffic I was getting from an http load balancing device (F5 BigIP in my case). hth, TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange traffic auto230111 (Sep 05)
- Re: Strange traffic Todd Ransom (Sep 06)
- <Possible follow-ups>
- Re: Strange traffic Jens Hektor (Sep 06)