[Dshield] Increase in probes *from* port 80, to random ports
jsage at finchhaven.com
Mon Jun 17 16:51:04 GMT 2002
On Mon, Jun 17, 2002 at 12:06:09PM -0400, Lauro, John wrote:
> Ok, to put it in perspective...
> I am a net admin of a class B... So that's 65k IPs I see the port
> scans against... As the campus is centrally managed, in most cases I
> know where the servers are, etc...
> Looking at the scans, many of them are to places I never had subnets
> running, so I know it is not some IP leaking from the proxy server,
> etc... and we are not running NAT, etc... Many of the scans are
> from the same IP with source port 80 to different IPs with random
> destination ports (many falling on IPs with no machine, many with), so
> there are only two possibilities:
> 1. It is some sort of port scan.
These are tcp SYN packets, then? Until you explicitly state so, some
of us will be lacking important information, because experience
suggests that in these matters, it's not good to assume..
> 2. My IP's are being spoofed outside my net, and used to DOS attack
> a web server. (This one is not likely for most of the traffic, as
> most of the IPs don't even reverse DNS, etc... and I've seen hundreds
> of different source IPs in the last week).
These are tcp ACK's or RST's? Or what?
I'm sorry: it's kinda like at an auto parts store:
until you give make, year, model, engine size, auto or manual trans,
at the least, we're only able to give you general answers.
Packet captures are _always_ welcome...
"You are in a little maze of twisty passages, all alike."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
More information about the list