Firewall Wizards mailing list archives

Re: Port scans to UDP 161 (SNMP)

From: Mark (Mookie) <mark () zang com>
Date: Fri, 22 May 1998 05:22:33 -0700 (PDT)

      Has anyone seen this before?  I have been getting UDP (161/SNMP) port 
scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from 
certain IP #s.  The most recent events happened 6 times over the past 5 
days (all from the same IP).  The user of that IP has a laptop w/


Yeah, same here, almost like the IMAP scans one sees. To machines they
have no business looking at either. I think they are possibly looking for
SNMP information describing the host in question, be it unix, a router or
other device.

I held off raising an incident report about this with an ISP earlier today,
simply because it was a once off and I couldn't see any other activity from
that IP. If it was more than one packet I'd have instituted greater counter
measures against the host involved. You however sound as if you have either
an attacker or an progam being tested by someone.

Do you go with the simple explanation or the insidious approach? :)

Good luck,
Mark

Current thread:

Port scans to UDP 161 (SNMP) Max Euston (May 21)
- Re: Port scans to UDP 161 (SNMP) M. Dodge Mumford (May 22)
- Log analysis tools Technical Incursion Countermeasures (May 22)
- Re: Port scans to UDP 161 (SNMP) Mookie (May 22)
- Re: Port scans to UDP 161 (SNMP) Michael (May 22)
- <Possible follow-ups>
- Re: Port scans to UDP 161 (SNMP) Steve Bellovin (May 22)
- Re: Port scans to UDP 161 (SNMP) H. Morrow Long (May 22)
- RE: Port scans to UDP 161 (SNMP) Max Euston (May 28)