On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote: > I've noticed some strange traffic on our firewalls recently. Someone (Or > multiple someones) are attempting to send tcp packets inbound to our > network FROM well known ports (e.g. port 80) to multiple port numbers, > and usually multiple addresses as well. Sometimes they are randomised, > (Port and/or target IP address), sometime sthey are sequential, or only > one host etc. I'm seeing these from multiple IP addresses so it appears > to be quite distributed.
Are you sure that you are not just looking at the packages being answered? For example when a user sends an HTTP request then one connection will be someting like: 10.0.0.1:12491 -> 192.168.54.19:80 ...and the reply then would be... 192.168.54.19:80 -> 10.0.0.1:12491 So most probably you see just the second. That's the way TCP works. Sequential port numbers may show up because the counter of used high-ports (1024 ff.) is just increased. Christoph -- ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All
