Hosting Provided By

Re: Logs: Many hits with source port of 80

From: <Valdis.Kletnieks(at)vt.edu>
Date: Mon Dec 16 2002 - 11:01:45 EST

On Fri, 13 Dec 2002 10:05:56 GMT, Byrne Ghavalas <security@nscs.uk.com> said:
> Has anyone else noticed a high number of hits in their security logs,

The analysis differs considerably depending on whether these were SYN packets, or SYN+ACK. If they're SYN packets *from* 80, that's odd in one way - however a SYN+ACK would probably indicate either backscatter from a DDoS where somebody used your IP as a forged source address, or that you were having a nice burn of some worm on your internal net, and they were all trying to phone home..

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

application/pgp-signature attachment: stored

Received on Mon Dec 16 12:51:27 2002

This message: [ Message body ]
Next message: Johnny Walker: "Win2k Audit Logs - What happened here?"
In reply to Byrne Ghavalas: "Logs: Many hits with source port of 80"
Next in thread: Maxime Ducharme: "Re: Many hits with source port of 80"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT