[Dshield] Increase in probes *from* port 80, to random ports

Russell Washington russ.washington at vaultsentry.com
Mon Jun 17 14:42:44 GMT 2002


Port 80 would also happen to be where Code Red-infected and Nimda-infected
servers would be poking and prodding you from... very possibly a compromised
web server, at any rate.   Can't comment on the destination ports.
 
I think you're right though re: "hiding" behind port 80.  Most firewalls
worth their salt are stateful anyway, and consequently won't let "web" (port
80) traffic through just because of its port number.  The port 80 traffic
would have to be running through an already established connection
(initiated by something on the inside).  Or at least... that's how it works
if your firewall is configured properly. :)

-----Original Message-----
From: Lauro, John [mailto:jlauro at umflint.edu] 
Sent: Sunday, June 16, 2002 8:17 PM
To: list at dshield.org
Subject: [Dshield] Increase in probes *from* port 80, to random ports



Hello,

 

I just manually submitted my first dshield report.  It is all packets from
the internet with the source port set to 80.  I suspect that they are trying
to use a source port of 80 in hopes of getting past most firewalls by
pretending to be a web server.  As I have a transparent web proxy, websites
should only be going back to the proxy server on port 80....

 

I first noticed this behavior months ago, but it seems like this type of
traffic has been increasing...  Has any others noticed this?  Are there any
other common source ports that should be checked for?  I know I've seen 53
in the past, but that was probably bind worms....  I've seen some probes
come from port 25, but not near the extent of 80...  (I also don't have 25
blocked as much, yet, so I only notice them when going through argus logs
for something else...).

 

For those interested, most of the probes from port 80 appear to be scanning
random ports in the low thousands range.  (Mostly destination ports
1050-1115, but plenty from 1024 to over 4000, and a significant amount to
port 3072).

 

Dshield has stats on destination port scans.  However, has any analysis been
done on source ports that are used in scans?  I suspect hiding behind
commonly used ports is going to increase more and more in order to get past
some firewalls, and use them to collect data by getting an OS fingerprints,
and maybe do less intrusive scans later on the real ports they are
interested in....  If you try to leave your firewall relatively open for the
majority of your users (as I, and I am sure many edu sites do), it might be
worthwhile to block the most common attacks from certain source ports, as
well as the ones to certain destination ports...  However, such blocking can
be difficult without a transparent application level proxy, or at least
setting up connection tacking and limiting syn packets.

  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020617/c4221e1a/attachment.htm


More information about the list mailing list