Re: Logs: Many hits with source port of 80

[Russell Fulton <r.fulton () auckland ac nz>]

On Fri, 2002-12-13 at 23:05, Byrne Ghavalas wrote:
> Hi All,
>
> Has anyone else noticed a high number of hits in their security logs,
> where the source port is set to tcp 80 and the destination port is some
> high tcp port? I have noticed that these events seem to be getting more
> numerous than the NetBios scans ;-)
>
> For example:
> 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
> 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439


I've seen this sort of thing for years and have tracked it back to
content switches and load balancers the don't quite work some of the
time.  The sort of thing that happens is that the switch and the back
end web server get out of synch some how and you get odd RST or ACK
packets being sent back to the client up to 5 minutes after the actual
session has finished.

If you were running Argus <www.qosient.com> and thus had a complete
audit trail off your traffic then you would be able to see the original
out bound sessions to 194.78.225.36:80 and then the belated ACK, FIN or
RST coming in with the same port numbers

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com