[Dshield] unknown port

Johannes B. Ullrich jullrich at sans.org
Thu Jun 5 04:37:58 GMT 2003


> On Wed, Jun 04, 2003 at 09:25:17PM -0500, Rick Leske wrote:
> > Honestly I'm not using a web server.. here's a snip of the capture:
> > 
> >  TCP 1420    64.124.82.21     10.1.58.122     80  3154  [2003.06.04 - 14:58:09.303]
> 
> You absolutely sure that isn't Windows XP's automagic 
> WindowsUpdate doodad downloading patches for you while you're
> not looking?

Good catch. Microsoft does use Akamai for it's updates. The connection
looks like a regular http access otherwise (from 64.124.82.21 port 80 to
10.1.58.122 port 3154... just the return packet from the server)

Depending on the firewall used, this may be a case of 'expired state'.
If the server (Akamai in this case) was slow to respond, the firewall
forgot about the outgoing request by the time the reply comes back.
As a result, the reply is flagged as a new connection attempt.





More information about the list mailing list