[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Port 1024 Unknown Established TCP Packets
Actually, there has been some discussion on other lists related to similar traffic patterns. Turns out Cisco Local Director uses ACK packets destined for that port, to determine Internet latency. Once latency is calculated, it can then determine the best path for packets to travel through. Usually this is used to load balance between geographically seperated web servers. Hope it helps! Jason At 04:43 AM 12/9/00 +0200, Michael Liberte wrote: > >These are probably replies for some http requests your clients send to the >internet. Look at the source port field in the log. Sometimes internet >servers are too busy to serve the request immediately, so the reply packet >is delayed. Clients usually connect using source port above 1023, and the >server replies to that port. Since your firewall is probably doing some hide >NAT, the replies come having your firewall as destination IP. > >-----Original Message----- >From: Geoffrey Moon [mailto:[email protected]] >Sent: Friday, December 08, 2000 6:01 PM >To: [email protected] >Subject: [FW1] Port 1024 Unknown Established TCP Packets > > > >Every now and then I'm seeing a blast of blocked traffic trying to connect >to my firewall on port 1024, and being dropped by Rule 0 with the infamous >"Unknown Established TCP Packet". The flurry of activity only lasts for a >couple of seconds, and then I don't see it again for days. Usually it's 6 or >8 hosts sending me this stuff - last time the IPs were from Exodus, Abovenet >and Colt Internet in the Netherlands. Are these scans or network mapping >attempts with spoofed source addresses? Anyone else seeing this type of >activity? > >Thanks, > >Geoff > > >============================================================================ >==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >============================================================================ >==== > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|