[Dshield] Traffic from a Cisco Content Engine

Brad Morgan B-Morgan at concentric.net
Wed Mar 5 04:24:35 GMT 2003

I'm volunteering at a local workforce center to install a Linux based
firewall using iptables.  We turned it on last week and have had only a
couple of "complaints" from the users (the director called a company she
"knows" is in business and got a "that number is disconnected" message, she
asked the IT folks if that was because of the firewall we just installed?)

I'm still searching the logs for any legitimate traffic that we might be
missing, and I've come across some traffic that I don't understand so I
thought I'd ask this group of experts...

I'm seeing traffic from a single node to random ports on the machines in the
center.  This node is owned by the center's ISP.  After getting some
non-answers to our questions about this traffic, I nmap'ed the address and I
believe its a Cisco Content Engine.

With some help from ethereal, I determined that it is sending a FIN,ACK
packet from port 8999 to a random port on the target machine and the target
machine responds with a RST packet.

Searching Cisco's site didn't provide any answers.  Can anyone provide an
explaination of what this traffic accomplishes?


Brad Morgan

More information about the list mailing list