Re: Scanning with reverse connections?
On Thu, Jun 05, 2003 at 08:29:10PM +0100, Hamish Marson wrote:
> I've noticed some strange traffic on our firewalls recently. Someone (Or
> multiple someones) are attempting to send tcp packets inbound to our
> network FROM well known ports (e.g. port 80) to multiple port numbers,
> and usually multiple addresses as well. Sometimes they are randomised,
> (Port and/or target IP address), sometime sthey are sequential, or only
> one host etc. I'm seeing these from multiple IP addresses so it appears
> to be quite distributed.
Are you sure that you are not just looking at the packages being
answered? For example when a user sends an HTTP request then one
connection will be someting like:
10.0.0.1:12491 -> 192.168.54.19:80
...and the reply then would be...
192.168.54.19:80 -> 10.0.0.1:12491
So most probably you see just the second. That's the way TCP works.
Sequential port numbers may show up because the counter of used
high-ports (1024 ff.) is just increased.
Christoph
--
~
~
".signature" [Modified] 3 lines --100%-- 3,41 All
Reply to: