Hosting Provided By

Re: Logs: Many hits with source port of 80

From: Byrne Ghavalas <security(at)nscs.uk.com>
Date: Mon Dec 16 2002 - 09:21:14 EST

Hi,

Thanks for the suggestion. Russell F. also mentioned that he'd had seen this traffic as a result of load balancing switches...

I had checked my logs to see if there were any matching web sessions as usually these packets are a result of late packets arriving out of sequence, which are then dropped by the firewall as they don't match any current sessions.

However, I couldn't find any outgoing sessions (web or other) to any of the IP addresses in my logs. The other strange thing was the timing of the packets - the packets arrived at the same interval, with the last 5 packets being one minute apart (give or take a few ms for latency).

Reverse lookups are generally not configured on the IP addresses in the logs, and for those that do have PTR records, the host is usually a cable / DSL user at an ISP.

There does seem to be something listening on the sample IP from my logs, at port 80, but it returns a 404 - 'The requested URL, "http://194.78.225.36:8808/", is not available.'

I have captured some of the packets for analysis - they seem to be standard tcp packets with no data - just FIN and ACK flags set.

Do you need help?

I'm guessing it must be some kind of scan attempting to go through badly configured ACLs / non-stateful firewalls... Maybe NMAP? Not sure about that though...

I'll be unable to get my mail for the next 2 week - so if anyone wishes to investigate this further (which I doubt - coz the packets seem rather dull <grin>) just drop me a message off-list and I'll pick up the conversation when I next access my mail.

Kind regards,

Byrne Ghavalas

Original Message ----- From: "James C Slora Jr" <Jim.Slora@phra.com> To: "'Byrne Ghavalas'" <security@nscs.uk.com>; <incidents@securityfocus.com> Sent: Monday, December 16, 2002 1:37 PM Subject: RE: Logs: Many hits with source port of 80

> I have seen similar hits for the past three months.
port
> 37852. All hits have been from the same two hosts, and are fairly
the
> packets are benign but annoying load balancing probes. Your probes may
logs if
> you have them.
some
> high tcp port? I have noticed that these events seem to be getting
more
> numerous than the NetBios scans ;-)

> This list is provided by the SecurityFocus ARIS analyzer service.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 16 13:04:19 2002

This message: [ Message body ]
Next message: Joe Stewart: "Re: Logs: Many hits with source port of 80"
Previous message: Russell Fulton: "Re: Logs: Many hits with source port of 80"
In reply to James C Slora Jr: "RE: Logs: Many hits with source port of 80"
Next in thread: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
Reply: Kevin Bowman: "Re: Logs: Many hits with source port of 80"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT