[Dshield] Increase in probes *from* port 80, to random ports

Lauro, John jlauro at umflint.edu
Mon Jun 17 17:04:06 GMT 2002

You leave out some very important information:

1) what sort of connectivity do you have?

We have a class B with up to 100mb peek.

2) in what context is this happening -- single user, firewall for a
LAN, how many/what sort of users behind the firewall, if that's the

A firewall for a campus network covering a dozen buildings, thousands
of machines, etc...  Most servers centrally managed, the few servers
that are not are centrally registered...

We have student labs, faculty/staff offices, and servers behind the

3) are these tcp SYN packets, or ACK's, or ACK-RST's -- or some other

76% are ACK SYN
18% just ACK

More information about the list mailing list