Re: Scanning with reverse connections?

To: debian-security@lists.debian.org
Subject: Re: Scanning with reverse connections?
From: Christoph Haas <email@christoph-haas.de>
Date: Thu, 5 Jun 2003 22:02:53 +0200
Message-id: <[🔎] 20030605200253.GA19412@torf.workaround.org>
Mail-followup-to: Christoph Haas <email@christoph-haas.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] 3EDF9A06.10705@travellingkiwi.com>
References: <[🔎] 3EDF9A06.10705@travellingkiwi.com>

On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote:
> I've noticed some strange traffic on our firewalls recently. Someone (Or 
> multiple someones) are attempting to send tcp packets inbound to our 
> network FROM well known ports (e.g. port 80) to multiple port numbers, 
> and usually multiple addresses as well. Sometimes they are randomised, 
> (Port and/or target IP address), sometime sthey are sequential, or only 
> one host etc. I'm seeing these from multiple IP addresses so it appears 
> to be quite distributed.

Are you sure that you are not just looking at the packages being
answered? For example when a user sends an HTTP request then one
connection will be someting like:

10.0.0.1:12491     ->   192.168.54.19:80

...and the reply then would be...

192.168.54.19:80   ->   10.0.0.1:12491

So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All

Reply to:

Follow-Ups:
- Re: Scanning with reverse connections?
  - From: Noah Meyerhans <noahm@debian.org>

References:
- Scanning with reverse connections?
  - From: Hamish Marson <hamish@travellingkiwi.com>

Prev by Date: Scanning with reverse connections?
Next by Date: Re: Scanning with reverse connections?
Previous by thread: Scanning with reverse connections?
Next by thread: Re: Scanning with reverse connections?
Index(es):
- Date
- Thread