Netflow Question

the_Grinch · May 2014

Quick netflow question. In what cases would you get a flow where the source and destination IP's are different, but the source and destination ports are the same? I have a theory, but was hoping someone could throw up a few alternatives as well.

networker050184 · May 2014

What is the port?

the_Grinch · May 2014

3389 is the port...not positive the traffic is definitely RDP.

SteveO86 · May 2014

Could it be a custom application?

the_Grinch · May 2014

99.9% sure it is not

ande0255 · May 2014

Out of curiousity, what leads you to believe it's not RDP traffic? Is the source IP completely unknown or originating from the LAN? I've had a few customers that got periodically probed for RDP vulnerabilities, then some other MSP poked a bunch of holes in there ASA for port 3389, and there DC started firing off alerts every 2-3 seconds from what seemed to be brute force attacks.

the_Grinch · May 2014

Can't go into a ton of detail, but there are somethings that make me believe it might not be RDP. It very well could be, but I have some doubts.

wastedtime · May 2014

There is a ton of stuff it could be. I've seen where people have done a SSH tunnel like that and even home brewed protocols for peer to peer communications. There isn't many protocols that I can think of that use the same source and destination ports.

Edit:
I would love to know what this is even if you can't go into details.

the_Grinch · May 2014

Haha, we're working on it and hopefully at some point a picture will be painted. Thanks guys! Confirmed my theories.

Netflow Question

Comments