[Dshield] Increase in probes *from* port 80, to random ports

Kenneth Porter shiva at sewingwitch.com
Mon Jun 17 22:15:46 GMT 2002


On Mon, 2002-06-17 at 10:04, Lauro, John wrote:

> 76% are ACK SYN
> 6% ACK RST
> 18% just ACK

FWIW, I'm seeing similar activity, but mostly ACK's. Topology is single
public static IP NAT'ing about 70 workstations, using iptables. Prior to
using iptables, I used ipchains, which lacked the ability to detect this
kind of thing. The masquerading feature of ipchains used high port
numbers (> 60000) when NAT'ing outgoing connections. I don't know if
iptables does the same, but the destination port numbers I'm seeing are
definitely below this range, and there should be no web activity sourced
from the NAT box itself.

In a few cases I tried to connect to the problem IP's and found either
no web server or a virgin IIS installation.




More information about the list mailing list