It seemed like the original post was pointing out what you are saying
now. "This is strange traffic, anybody know about it?" I think the
odds are its not malicious traffic (as you said) but its still broken.
There are some malicious programs that use port 60001 and some OS's
that accepts TCP Broadcast (BSD.) Whether its malicious or broken, its
still probably not good. Dimitris is a good firewall admin and noticed
this in his/her logs and then asked other firewall types whom may have
also noticed something like this. Being aware of what programs are
running on the network (especially TCP 60001 traffic) is a good trait
to have.
You have suggested that this traffic be dismissed as junk twice now so
I think everyone understands your opinion, but it still may be a
diligent idea to figure out why it is there by asking this list for
information about it.
>
> No, that's exactly what I meant. IP to 255.255.255.255 on 60001/tcp is
> bogus. You can't do broadcast TCP. So, in my opinion, this is, from
most
> probable to least probable,
>
> 1) Broken, non-malicious traffic.
>
> 2) Broken traffic from buggy malware.
>
> 3) Intentionally weird malicious traffic.
>
> Where (1) is wa-ay more probable than (2) which is also wa-ay more
probable
> than (3). Why is (3) so improbable? Since this is a local broadcast,
it
> can never leave the local network. Pretty silly behavior for a trojan
trying
> to phone home or do something similar. It isn't likely a way for a
worm
> to try to infect other machines on the LAN since any sane TCP/IP
stack will
> drop broadcast TCP packets without a second look before there is a
chance
> to do any damage. The only possibe malicious use would be for a way
for
> trojans (trojans that have infected kernel-land, not just user-land,
> by the way) to talk to one another on the same LAN.
>
> My money is on (1). It's a corrollary of a good philosophy for
life, "Never
> attribute to malice what can just as easily attribute to stupidity,"
that one,
> "Never assume weird network traffic is hostile when it can just as
easily
> be the product of buggy software."
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
