[Dshield] From,80 ??

Frank Knobbe frank at knobbe.us
Mon Jan 19 17:42:58 GMT 2004

On Sun, 2004-01-18 at 21:29, Jonathan C. Webster wrote:
> Hello,
> In my last two firewall log files (spanning 16 hours of today) out of 256 entries 101 are from
>,80.  These are all to my ports from 1015 to 1986.  They only hit the same port twice a few 
> times and NEVER more than twice.
> What does that mean?

The best summary of an explanation I have seen is attached below (From
Dan of the Incidents list).



-----Forwarded Message----- 
From: Dan Hanson <dhanson at securityfocus.com>
To: incidents at securityfocus.com
Subject: Administrivia: Are you seeing portscans from source source port 80?
Date: Tue, 28 Oct 2003 08:59:56 -0700

I am posting this in the hopes of dulling the 5-6 messages I get every day
that are reporting port scans to their network all of which have a source
IP of and source port 80.

It is likely Blaster (check your favourite AV site for a writeup, I won't
summarize here).

The reason that people are seeing this has to do with some very bad advice
that was given early in the blaster outbreak. The advice basically was
that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return for queries to
windowsupdate.com. Essentially these suggestions were suggesting that
hosts should commit suicide to protect the Internet.

The problem is that the DoS routine spoofs the source address, so when
windowsupdate.com resolves to the following happens.

Infected host picks address as source address and sends Syn packet to port 80. (Sends it to itself) (This never makes it on the wire,
you will not see this part)

TCP/IP stack receives packet, responds with reset (if there is nothing
listening on that port), sending the reset to the host with the spoofed
source address (this is what people are seeing and mistaking for

Result: It looks like a host is port scanning ephemeral posts using
packets with source address:port of

Solution: track back the packets by MAC address to find hte infected
machine. Turn of NS resolution of windowsupdate.com to

Hope that helps



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040119/c94ed633/attachment.bin

More information about the list mailing list