[Dshield] Increase in probes *from* port 80, to random ports

Lauro, John jlauro at umflint.edu
Mon Jun 17 03:16:38 GMT 2002



I just manually submitted my first dshield report.  It is all packets
from the internet with the source port set to 80.  I suspect that they
are trying to use a source port of 80 in hopes of getting past most
firewalls by pretending to be a web server.  As I have a transparent
web proxy, websites should only be going back to the proxy server on
port 80....


I first noticed this behavior months ago, but it seems like this type
of traffic has been increasing...  Has any others noticed this?  Are
there any other common source ports that should be checked for?  I
know I've seen 53 in the past, but that was probably bind worms....
I've seen some probes come from port 25, but not near the extent of
80...  (I also don't have 25 blocked as much, yet, so I only notice
them when going through argus logs for something else...).


For those interested, most of the probes from port 80 appear to be
scanning random ports in the low thousands range.  (Mostly destination
ports 1050-1115, but plenty from 1024 to over 4000, and a significant
amount to port 3072).


Dshield has stats on destination port scans.  However, has any
analysis been done on source ports that are used in scans?  I suspect
hiding behind commonly used ports is going to increase more and more
in order to get past some firewalls, and use them to collect data by
getting an OS fingerprints, and maybe do less intrusive scans later on
the real ports they are interested in....  If you try to leave your
firewall relatively open for the majority of your users (as I, and I
am sure many edu sites do), it might be worthwhile to block the most
common attacks from certain source ports, as well as the ones to
certain destination ports...  However, such blocking can be difficult
without a transparent application level proxy, or at least setting up
connection tacking and limiting syn packets.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020616/b863526f/attachment.htm

More information about the list mailing list