The activity we see is definitely mapping because it is attempting to reach
non-existent hosts on our server segment (DMZ) and has some sequencing to
it.
Server segment hosts do not do outbound connections so there should not be
returning packets with source port 80 which these have.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: September 22, 2001 05:10 AM
To: [EMAIL PROTECTED]
Subject: Re: Port info
On 21 Sep 2001, at 10:30, [EMAIL PROTECTED] wrote:
> If you are looking for clues about incoming packets, also look at
> the source address. We seem to have a lot of packets which use a
> well-known in source port to attempt to evade simple packet filters
> that allow "established" conections on well-knows ports (http on
> port 80/tcp for instance). In these instances the destination port
> is not that important (generally just slightly > 1024 or >32000).
> The intruders are attempting network mapping looking for the FIN
> versus RST flags.
I've also seen extraneous packets logged at the firewall when, for
instance, an internal client has dropped a connection while data was
en route from the external server -- the firewall has seen the RST
from the client, so when it sees an inbound packet a moment later, it
doesn't match any current session.
(Logging even permitted activity gives you some context in which to
see whther this is happening, or if something else is going on, such
as the mapping scenario above.)
David Gillett
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
