Hosting Provided By

Re: Logs: Many hits with source port of 80

From: Kevin Bowman <kevin.bowman(at)garmin.com>
Date: Mon Dec 16 2002 - 13:54:03 EST

The hits from source port 80 to dest port 37852 are IMHO almost certainly from a RadWare Linkproof device. These load balancers play DNS games to load balance across multiple WAN connections without the need for BGP4. The probes you see are from the LinkProof's "proximity balancing" feature, which sends a few packets to the other end of the connection to try to determine which WAN link provides lowest cost, allowing subsequent traffic to move along that path.

If I'm correct, you should probably see a couple other packets - perhaps an ICMP echo and a port 53 hit with source of port 53. I have also seen destinations of 47804 and 60750. The proximity feature will fire these packets if either you send the load balancer a packet, or someone behind their load balancer pays you a visit - you might look for inbound packets from their networks as well as outbound to them.

http://www.radware.com/content/products/link.asp

Hope this helps.
Kevin

Byrne Ghavalas wrote:
> Hi,
>
> Thanks for the suggestion. Russell F. also mentioned that he'd had seen

>>I have seen similar hits for the past three months.
>>
>>Mine are UDP. Are you sure yours are TCP? All mine had destination

>
> port
>

>>37852. All hits have been from the same two hosts, and are fairly
>>infrequent.
>>
>>2002-12-11 14:56:03 63.211.17.228 myhost Udp 80 37852
>>2002-12-11 14:56:06 64.152.70.68 myhost Udp 80 37852
>>2002-12-11 14:56:08 63.211.17.228 myhost Udp 80 37852
>>2002-12-11 14:56:11 64.152.70.68 myhost Udp 80 37852
>>2002-12-11 15:04:20 64.152.70.68 myhost Udp 80 37852
>>2002-12-11 15:04:25 64.152.70.68 myhost Udp 80 37852
>>
>>The reverse DNS for 64.152.70.68 is proximitycheck2.allmusic.com, but
>>proximitycheck2.allmusic.com doesn't resolve to anything.
>>The reverse DNS for 63.211.17.228 is proximitycheck1.allmusic.com, but
>>proximitycheck1.allmusic.com doesn't resolve to anything.
>>
>>These always appear after a user visits www.allmusic.com and I believe

>
> the
>

>>packets are benign but annoying load balancing probes. Your probes may
>>possibly have similar origins - try correlating the probes with web

>
> logs if
>

>>you have them.
>>
>>-----Original Message-----
>>From: Byrne Ghavalas [mailto:security@nscs.uk.com]
>>Sent: Friday, December 13, 2002 5:06 AM
>>To: incidents@securityfocus.com
>>Subject: Logs: Many hits with source port of 80
>>
>>
>>Hi All,
>>
>>Has anyone else noticed a high number of hits in their security logs,
>>where the source port is set to tcp 80 and the destination port is

>
> some
>

>>high tcp port? I have noticed that these events seem to be getting

>
> more
>

>>numerous than the NetBios scans ;-)
>>
>>For example:
>>2002-12-13 09:08:04 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:07:04 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:06:05 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:05:04 194.78.225.36:80 XX.XX.XX.XX:29439
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
>>2002-12-13 09:04:04 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:03:05 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:02:04 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:01:28 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:01:10 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:01:01 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:00:57 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:00:55 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
>>2002-12-13 09:00:54 194.78.225.36:80 XX.XX.XX.XX:29439
>>
>>It appears to be some kind of automated scan as the time of each entry
>>appears to follow a pattern.
>>
>>Byrne Ghavalas
>>
>>
>>
>>----------------------------------------------------------------------

>
> ------
>

>>This list is provided by the SecurityFocus ARIS analyzer service.
>>For more information on this free incident handling, management
>>and tracking system please see: 
http://aris.securityfocus.com
>>
>>
>>

>
>
>
>
> ----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 16 14:15:49 2002

This message: [ Message body ]
Next message: Damian Gerow: "Re: Rooted, .haos on system"
Previous message: Damian Gerow: "Re: Rooted, .haos on system"
In reply to Byrne Ghavalas: "Re: Logs: Many hits with source port of 80"
Next in thread: James C Slora Jr: "RE: Logs: Many hits with source port of 80"
Reply: James C Slora Jr: "RE: Logs: Many hits with source port of 80"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT