Security Incidents mailing list archives
Re: Logs: Many hits with source port of 80
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 16 Dec 2002 15:13:53 +1300
On Fri, 2002-12-13 at 23:05, Byrne Ghavalas wrote:
Hi All, Has anyone else noticed a high number of hits in their security logs, where the source port is set to tcp 80 and the destination port is some high tcp port? I have noticed that these events seem to be getting more numerous than the NetBios scans ;-) For example: 2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439 2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
I've seen this sort of thing for years and have tracked it back to content switches and load balancers the don't quite work some of the time. The sort of thing that happens is that the switch and the back end web server get out of synch some how and you get odd RST or ACK packets being sent back to the client up to 5 minutes after the actual session has finished. If you were running Argus <www.qosient.com> and thus had a complete audit trail off your traffic then you would be able to see the original out bound sessions to 194.78.225.36:80 and then the belated ACK, FIN or RST coming in with the same port numbers -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 15)
- Re: Many hits with source port of 80 Maxime Ducharme (Dec 16)
- Re: Logs: Many hits with source port of 80 Valdis . Kletnieks (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Kevin Bowman (Dec 16)
- RE: Logs: Many hits with source port of 80 James C Slora Jr (Dec 16)
- Re: Logs: Many hits with source port of 80 Byrne Ghavalas (Dec 16)
- Re: Logs: Many hits with source port of 80 Russell Fulton (Dec 16)
- Re: Logs: Many hits with source port of 80 Joe Stewart (Dec 16)