This _could_ be the result of a broken load balancer - legitimate
connections are done from 199.117.205.35:3131 to xxx.xxx.xxx.34:80,
but later on the remote load balancer decides to remap something
to come from xxx.xxx.xxx.123:80 instead.
Just a thought..
Hard to say since you commented out the remote IPs.
It'd have to be a hell of a large site though, considering that
we're talking about 82 different IPs.
"Petersen, Hans" wrote:
>
> Here is an excerpt from the firewall log (Gauntlet):
>
> Oct 11 09:36:36 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.34:80
> to 199.117.205.35 on unserved port 3131
> Oct 11 09:36:44 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.123:80
>
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:45 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.233:80
> to 199.117.205.35 on unserved port 3154
> Oct 11 09:36:46 fw kernel : securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
>
> to 199.117.205.35 on unserved port 3153
> Oct 11 09:36:46 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.221:80
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:49 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
> to 199.117.205.35 on unserved port 3157
>
> Multiple originating machines (82 in all), all coming from port 80, to our
> firewall (199.117.205.35) on random ports in the 1024+ range.
>
> Hope that clarifies what the connections look like. Any info on what this
> might be would be greatly appreciated.
>
> ~Hans
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
