NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Port 1024 Unknown Established TCP Packets



Actually, there has been some discussion on other lists related to similar
traffic patterns.  Turns out Cisco Local Director uses ACK packets destined
for that port, to determine Internet latency.  Once latency is calculated,
it can then determine the best path for packets to travel through.  Usually
this is used to load balance between geographically seperated web servers.
Hope it helps!

Jason

At 04:43 AM 12/9/00 +0200, Michael Liberte wrote:
>
>These are probably replies for some http requests your clients send to the
>internet. Look at the source port field in the log. Sometimes internet
>servers are too busy to serve the request immediately, so the reply packet
>is delayed. Clients usually connect using source port above 1023, and the
>server replies to that port. Since your firewall is probably doing some hide
>NAT, the replies come having your firewall as destination IP.
>
>-----Original Message-----
>From: Geoffrey Moon [mailto:[email protected]]
>Sent: Friday, December 08, 2000 6:01 PM
>To: [email protected]
>Subject: [FW1] Port 1024 Unknown Established TCP Packets
>
>
>
>Every now and then I'm seeing a blast of blocked traffic trying to connect
>to my firewall on port 1024, and being dropped by Rule 0 with the infamous
>"Unknown Established TCP Packet". The flurry of activity only lasts for a
>couple of seconds, and then I don't see it again for days. Usually it's 6 or
>8 hosts sending me this stuff - last time the IPs were from Exodus, Abovenet
>and Colt Internet in the Netherlands. Are these scans or network mapping
>attempts with spoofed source addresses? Anyone else seeing this type of
>activity?
>
>Thanks,
>
>Geoff
>
>
>============================================================================
>====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>============================================================================
>====
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.