[Dshield] unknown port
Johannes B. Ullrich
jullrich at sans.org
Thu Jun 5 04:37:58 GMT 2003
> On Wed, Jun 04, 2003 at 09:25:17PM -0500, Rick Leske wrote:
> > Honestly I'm not using a web server.. here's a snip of the capture:
> > TCP 1420 220.127.116.11 10.1.58.122 80 3154 [2003.06.04 - 14:58:09.303]
> You absolutely sure that isn't Windows XP's automagic
> WindowsUpdate doodad downloading patches for you while you're
> not looking?
Good catch. Microsoft does use Akamai for it's updates. The connection
looks like a regular http access otherwise (from 18.104.22.168 port 80 to
10.1.58.122 port 3154... just the return packet from the server)
Depending on the firewall used, this may be a case of 'expired state'.
If the server (Akamai in this case) was slow to respond, the firewall
forgot about the outgoing request by the time the reply comes back.
As a result, the reply is flagged as a new connection attempt.
More information about the list