Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 22 source traffic - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 22 source traffic
Every time I see someone asking this question (and I've asked it a few times myself), I never see an answer. Nobody in the world knows what this is or *might* be? Ron

29 Posts
My guess is (hard to tell without seeing full packets) that they are looking for lazy/stateless firewall rules. A sysadmin may have just configured the firewall to allow port 22 inbound/outbound to allow the server to connect to other hosts via SSH, and by using ssh as a source port, the attacker hopes to take advantage of such a rule. This will not work in most modern firewalls if they are properly configured. Johannes

2894 Posts
ISC Handler
It's been more than 10 months and I don't have the packets any more (the attack, if that's what it was, has long stopped), but this explanation makes sense. Thanks. Martijn

4 Posts

Sign Up for Free or Log In to start participating in the conversation!