Hello all...
I'd just be curious if anyone else saw a similar sort of
behaviour recently...
I was dealing with an unrelated problem at the time,
and happened to observe our firewall logs during this period...
>From 02:17 (GMT) to 02:26, our firewall logged 399
examples of traffic from 'microsoft.com' (the log had DNS lookup
applied, but I can see from the raw logs that these were various
machines, mostly 207.46.x.x) to most of our hosts here.
The traffic always has a source port of 80, and dst port
around the 1024-1200 range, pretty symptomatic of normal
web-browsing...
What was odd, of course, is the timing (hardly anyone would have been
here) and the inclusion of machines that I pretty much know were either
a) turned off b) non-Windows servers ...
Was this just the sign of a big spoofed scan, but if so, how come I can't see
any indication of an IP address that doesn't resolve to microsoft.com?
...
-------------------------------------------------------------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax: 0207-436 5389 / Pager: 07625 255362
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com
Received on Jul 01 2001
Intro
