Initial thoughts:
What are the packet flags of the incoming packets? Assuming that all the
incoming packets have the ACK flag set, this could be an attempt to bypass
packet filtering. Often times sites will block incoming connections to most
ports, unless the ACK flag on the packet is set (supposedly meaning that the
packet is part of an established connection). So if your rules allowed
packets with the ACK bit set this would allow these packets to get past your
firewall. The fact that the scans are looking for ports over 1024 probably
means that the scanner has no interest in common services but is looking for
a specific server or set of servers. The two most common servers that live
above 1023 (read: non-privledged ports) are X and RPC. A lot of firewall
rules leave ports above 1024 open, because this is basically required for
external connections (cliets open ports above 1023 to talk to external
servers). They might be hoping for a rule that allows all packets over port
1023 and that they may get lucky and find X or an RPC service running.
Your best defense is to make sure that you don't have any servers running on
ports over 1023. A simple netstat should clear this up. If you do, and
they aren't there intentionally, shut them down. If they must run, make
sure they are sufficiently protected.
ahp
----- Original Message -----
From: Petersen, Hans <[EMAIL PROTECTED]>
To: 'The Firewalls List' <[EMAIL PROTECTED]>
Sent: Monday, October 11, 1999 1:27 PM
Subject: Strange probes from port 80
> Hi all,
>
> we're seeing multiple connection attempts from multiple (80+) hosts on our
> firewall, all originating on port 80, going to ports 1024+ in a somewhat
> incremental order. The contact(s) happened 10-15 connections ever minute,
> for a 2 hour period of time. Most of the originating hosts are within the
> same netblock.
>
> Any of you ever seen this behavior before? Any help would be greatly
> appreciated, here or in e-mail directly to me.
>
> ~Hans
> --
> Hans B. Petersen - [EMAIL PROTECTED]
> Network Security Engineer - phone 303-581-5600
> SCC Communications Corporation
> ~o' Sed quis custodiet ipsos custodes? 'o~
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
