[Dshield] Increase in probes *from* port 80, to random ports

Lauro, John jlauro at umflint.edu
Mon Jun 17 17:04:06 GMT 2002


You leave out some very important information:

1) what sort of connectivity do you have?

We have a class B with up to 100mb peek.


2) in what context is this happening -- single user, firewall for a
LAN, how many/what sort of users behind the firewall, if that's the
case?

A firewall for a campus network covering a dozen buildings, thousands
of machines, etc...  Most servers centrally managed, the few servers
that are not are centrally registered...

We have student labs, faculty/staff offices, and servers behind the
firewall.

3) are these tcp SYN packets, or ACK's, or ACK-RST's -- or some other
protocol?

76% are ACK SYN
6% ACK RST
18% just ACK






More information about the list mailing list