I have a Watchguard Firebox that has been logging some interesting activity (to me at least). I am getting TONS of new traffic from pc's on my network that is going to incremental ports. It's tcp traffic sending SYN packets, so I'm assuming that its some sort of port scan, but not anything I have seen before or anything I can find help for. I have scanned the pc's with multiple antivirus software packages and have scanned them for Ad/Spyware with 2 packages. Here is a section of my log entry. Any help is appreciated. It may be nothing, but since this has started, my internet speed has also dropped.
Notice that the source port is incrementing by 1. these ports are always between 1000 and 4999. It hits port 80 as the destination port. Is this normal for browsing activity?
thanks
jf
-------------------------------------
510298 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 63.210.164.25 2199 80 syn (Filtered-HTTP) 510308 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 63.210.164.25 2200 80 syn (Filtered-HTTP) 510318 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 63.210.164.25 2201 80 syn (Filtered-HTTP) 510328 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 64.215.172.6 2202 80 syn (Filtered-HTTP) 510338 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 64.215.172.6 2203 80 syn (Filtered-HTTP) 510348 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 63.210.164.25 2204 80 syn (Filtered-HTTP) 510418 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 64.215.172.6 2205 80 syn (Filtered-HTTP) 510428 01/12/05 14:44:19 n allow out eth1 44 tcp 20 128 10.0.0.44 64.215.172.6 2206 80 syn (Filtered-HTTP) 510748 01/12/05 14:44:20 n allow out eth1 44 tcp 20 128 10.0.0.44 216.109.126.57 2208 80 syn (Filtered-HTTP)