Hosting Provided By

Re: Logs: Many hits with source port of 80

From: Russell Fulton <r.fulton(at)auckland.ac.nz>
Date: Sun Dec 15 2002 - 21:13:53 EST

On Fri, 2002-12-13 at 23:05, Byrne Ghavalas wrote:
> Hi All,

I've seen this sort of thing for years and have tracked it back to content switches and load balancers the don't quite work some of the time. The sort of thing that happens is that the switch and the back end web server get out of synch some how and you get odd RST or ACK packets being sent back to the client up to 5 minutes after the actual session has finished.

If you were running Argus <www.qosient.com> and thus had a complete audit trail off your traffic then you would be able to see the original out bound sessions to 194.78.225.36:80 and then the belated ACK, FIN or RST coming in with the same port numbers

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Received on Mon Dec 16 13:00:59 2002

This message: [ Message body ]
Next message: Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
In reply to: Byrne Ghavalas: "Logs: Many hits with source port of 80"
In reply to James C Slora Jr: "RE: Logs: Many hits with source port of 80"
Next in thread: Joe Stewart: "Re: Logs: Many hits with source port of 80"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT