Every time I see someone asking this question (and I've asked it a few times myself), I never see an answer. Nobody in the world knows what this is or *might* be? |
Ron 29 Posts |
Reply Quote |
Dec 24th 2016 1 year ago |
My guess is (hard to tell without seeing full packets) that they are looking for lazy/stateless firewall rules. A sysadmin may have just configured the firewall to allow port 22 inbound/outbound to allow the server to connect to other hosts via SSH, and by using ssh as a source port, the attacker hopes to take advantage of such a rule. This will not work in most modern firewalls if they are properly configured. |
Johannes 3221 Posts ISC Handler |
Reply Quote |
Dec 26th 2016 1 year ago |
It's been more than 10 months and I don't have the packets any more (the attack, if that's what it was, has long stopped), but this explanation makes sense. Thanks. |
Martijn 4 Posts |
Reply Quote |
Dec 26th 2016 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!