[Dshield] Increase in probes *from* port 80, to random ports

John Sage jsage at finchhaven.com
Mon Jun 17 16:51:04 GMT 2002

On Mon, Jun 17, 2002 at 12:06:09PM -0400, Lauro, John wrote:
> Ok, to put it in perspective...
> I am a net admin of a class B...  So that's 65k IPs I see the port
> scans against...  As the campus is centrally managed, in most cases I
> know where the servers are, etc...


> Looking at the scans, many of them are to places I never had subnets
> running, so I know it is not some IP leaking from the proxy server,
> etc...  and we are not running NAT, etc...   Many of the scans are
> from the same IP with source port 80 to different IPs with random
> destination ports (many falling on IPs with no machine, many with), so
> there are only two possibilities:
>    1. It is some sort of port scan.

These are tcp SYN packets, then? Until you explicitly state so, some
of us will be lacking important information, because experience
suggests that in these matters, it's not good to assume..

>    2. My IP's are being spoofed outside my net, and used to DOS attack
> a web server.  (This one is not likely for most of the traffic, as
> most of the IPs don't even reverse DNS, etc... and I've seen hundreds
> of different source IPs in the last week).

These are tcp ACK's or RST's? Or what?

I'm sorry: it's kinda like at an auto parts store:

until you give make, year, model, engine size, auto or manual trans,
at the least, we're only able to give you general answers.

Packet captures are _always_ welcome...

<more snippage>

- John
"You are in a little maze of twisty passages, all alike."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the list mailing list