Scanning with reverse connections?

To: debian-security@lists.debian.org
Subject: Scanning with reverse connections?
From: Hamish Marson <hamish@travellingkiwi.com>
Date: Thu, 05 Jun 2003 20:29:10 +0100
Message-id: <[🔎] 3EDF9A06.10705@travellingkiwi.com>

I've noticed some strange traffic on our firewalls recently. Someone (Ormultiple someones) are attempting to send tcp packets inbound to ournetwork FROM well known ports (e.g. port 80) to multiple port numbers,and usually multiple addresses as well. Sometimes they are randomised,(Port and/or target IP address), sometime sthey are sequential, or onlyone host etc. I'm seeing these from multiple IP addresses so it appearsto be quite distributed.

Is this a well known method? I've been searching and haven't foundanything. I know it's not legitimate traffic because the hosts beingscanning for don't actually have the ability to open these connectionsoutbound, so they're not an expired connection in the firewall beingcaught...


TIA

Hamish.


--

I don't suffer from Insanity... 	| Linux User #16396
	I enjoy every minute of it...	|
					|
http://www.travellingkiwi.com/		|

Reply to:

Follow-Ups:
- Re: Scanning with reverse connections?
  - From: Christoph Haas <email@christoph-haas.de>
- Re: Scanning with reverse connections?
  - From: Blars Blarson <blarson@blars.org>
- Re: Scanning with reverse connections?
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Keeping files away from users
Next by Date: Re: Scanning with reverse connections?
Previous by thread: urgent request please
Next by thread: Re: Scanning with reverse connections?
Index(es):
- Date
- Thread