[Dshield] Increase in probes *from* port 80, to random ports

Ed Truitt ed.truitt at etee2k.net
Tue Jun 18 12:25:05 GMT 2002


This is an interesting problem.  Let me see if I have this correctly:  you
have (one or more?) machine(s) sending packets to your network with a source
port of 80 and (random?) destination ports in the high range.  Just a WAG,
but I can see several possibilities, other than what has been described:

1) A different type of network address space map (looking for live hosts),
where the intent is simply to establish which IP addresses are active.
Since inbound traffic from Port 80 is often allowed (especially in primitive
/ simple firewalls), is might provide a way to get the map in networks that
would otherwise be inaccessible.

2) Someone is spoofing your IP space and launching a DoS against the web
server(s) involved.

3) Someone is scanning for specific high ports used by RATs (e.g. SubSeven,
RDP), and using Port 80 as the source would tend to hide the nature of  the
activity.

4) Someone's scanning for non-SSL web-based Remote Access clients (such as
GoToMyPC) whose connections they might be able to hijack.  IIRC, such
clients would be listening for traffic with a source port of either 80 or
443.

I will have to set my firewall to look for this type of traffic, and see
what pops up.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."




More information about the list mailing list