[Dshield] Increase in probes *from* port 80, to random ports
jsage at finchhaven.com
Mon Jun 17 15:48:32 GMT 2002
On Sun, Jun 16, 2002 at 11:16:38PM -0400, Lauro, John wrote:
> I just manually submitted my first dshield report. It is all packets
> from the internet with the source port set to 80. I suspect that they
> are trying to use a source port of 80 in hopes of getting past most
> firewalls by pretending to be a web server. As I have a transparent
> web proxy, websites should only be going back to the proxy server on
> port 80....
You leave out some very important information:
1) what sort of connectivity do you have?
2) in what context is this happening -- single user, firewall for a
LAN, how many/what sort of users behind the firewall, if that's the case?
3) are these tcp SYN packets, or ACK's, or ACK-RST's -- or some other
If you are a single user with a dynamic IP address, you're probably
seeing what I call dialup cruft: the remants of a prior connection
on the IP address that you've just inherited.
Without further details, it's hard to say.
"You are in a little maze of twisty passages, all different."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the list