[Dshield] Random source port from my network to port 80 on target network

John Sage jsage at finchhaven.com
Thu Oct 30 18:51:48 GMT 2003


Louis:

On Thu, Oct 30, 2003 at 10:21:48AM -0500, Louis Hablas wrote:
> Exhibit A: 
> 
> 2003-10-23   20:49:13   external ip   65186   207.046.197.059   80   6     
> 2003-10-23   20:49:48   external ip   65243   207.046.197.059   80   6
> 
> Hello:
> 
> I've noticed a few Dshield entries like these lately and am trying to
> understand what I'm seeing.  In this case, the destination IP address is
> Microsoft, so I feel certain the entry relates to Automatic Updates or some
> other report back to the Mother Ship, but I'd appreciate any more
> insight/feedback from the list.

A TCP conversation between your local machine and a remote one (here,
something within in the Microsoft address space) will likely take
place on a port > 1024 on your end.

Granted, here the source ports of 65186 and 65243 are rather toward
the high limit of 65353 (or is it 65535?) but in and of itself that's
not necessarily troubling.



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list