[Dshield] Increase in probes *from* port 80, to random ports

John Sage jsage at finchhaven.com
Mon Jun 17 15:48:32 GMT 2002

On Sun, Jun 16, 2002 at 11:16:38PM -0400, Lauro, John wrote:
> Hello,
> I just manually submitted my first dshield report.  It is all packets
> from the internet with the source port set to 80.  I suspect that they
> are trying to use a source port of 80 in hopes of getting past most
> firewalls by pretending to be a web server.  As I have a transparent
> web proxy, websites should only be going back to the proxy server on
> port 80....

You leave out some very important information:

1) what sort of connectivity do you have?

2) in what context is this happening -- single user, firewall for a
LAN, how many/what sort of users behind the firewall, if that's the case?

3) are these tcp SYN packets, or ACK's, or ACK-RST's -- or some other

If you are a single user with a dynamic IP address, you're probably
seeing what I call dialup cruft: the remants of a prior connection
on the IP address that you've just inherited.

Without further details, it's hard to say.

- John
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list