[Dshield] Increase in probes *from* port 80, to random ports

Lauro, John jlauro at umflint.edu
Mon Jun 17 16:06:09 GMT 2002

Ok, to put it in perspective...

I am a net admin of a class B...  So that's 65k IPs I see the port
scans against...  As the campus is centrally managed, in most cases I
know where the servers are, etc...

I am seeing about 200,000+ packets a day going with a destination of
port 80 that are blocked because they are going to an IP that is not a
web server and I was tired of seeing all the extra traffic.  Those are
from the code red, nimbda, etc....  I don't even log all those dropped
packets, but might start to once I automate the reporting to

It's only about 1000-10000 packets a day with a source of port 80
(that shouldn't be).  To me it seems like a lot, and more then it was
6 months ago, but compared to the packets dropped with destination
port 80 noise it's only about 1%.

Looking at the scans, many of them are to places I never had subnets
running, so I know it is not some IP leaking from the proxy server,
etc...  and we are not running NAT, etc...   Many of the scans are
from the same IP with source port 80 to different IPs with random
destination ports (many falling on IPs with no machine, many with), so
there are only two possibilities:
   1. It is some sort of port scan.
   2. My IP's are being spoofed outside my net, and used to DOS attack
a web server.  (This one is not likely for most of the traffic, as
most of the IPs don't even reverse DNS, etc... and I've seen hundreds
of different source IPs in the last week).

-----Original Message-----
From: Stephane Grobety [mailto:security at admin.fulgan.com] 
Sent: Monday, June 17, 2002 10:45 AM
To: Lauro, John
Subject: Re: [Dshield] Increase in probes *from* port 80, to random

You are probably just seeing the result of an improper firewall/nat
configuration: response paquet that are marked as "bas" because the
client query that initiated them has been "forgotten" by the stateful
inspector or by the NAT: Since it doesn't remember a connection from
inside with these parameters, it's tagging the packets as bad and
dropping them.

If you think this is not the case, then please do give more
information about your setup: are you a single user or a net admin ?
What kind of software are you using: a firewall (gateway or personal),
some form of ACL, a NAT device ? Please incluse sample log (obfuscate
the IPs if you want)

Good luck,
Best regards,
 Stephane                            mailto:security at admin.fulgan.com

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list