Are you running a sniffer, or using some other method to examine the packets
themselves?
I would check the variations in source IP with the TTL value. All those
different sources are very unlikely to be the exact same number of hops
away.
-----Original Message-----
From: Bill Fox [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 07, 1999 9:29 PM
To: Firewalls mailing list; Jeff Younker
Subject: Re: Squid probes ?
>From my vantage point at least, it appears to be *true* probing, since the
source IP varies significantly. I see 'hits' literally from around the
globe, and they're more prevalent at night/weekends. They also *origninate*
(spoofs, compromises very possible/probable..) from universities, small
ISP's, even government organizations. Thus it would seem highly unlikely
that it's caused by commercial entities. And 'conferencing' with such
locations as Pakistan, Iran, China, etc. isn't a distinct possibility at my
location, at least. Anything's possible, though :).
--Bill
----- Original Message -----
From: Jeff Younker <[EMAIL PROTECTED]>
To: 'Joshua Chamas' <[EMAIL PROTECTED]>; Bill Fox <[EMAIL PROTECTED]>
Cc: Firewalls mailing list <[EMAIL PROTECTED]>
Sent: Thursday, October 07, 1999 2:35 PM
Subject: RE: Squid probes ?
Are you sure it's abuse and not some web conference application, or some web
page generated (such as a stock reporting page) that's trying to tunnel
information via HTTP? Is it associated with an outbound HTTP connection
from your one of your users?
- Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
