Re: scans on ports 3072 and 1024, why?

[Conor McGrath <conormc () uchicago edu>]

Bill_Royds () pch gc ca once said:
> We have been getting the same traffic hitting our firewall. More interestingly
> it is being sent to non-existent hosts behind our firewall  which could never
> have sent the original packets and we do not allow IRC out anyway. It could be
> replies to spoofed packets or a way of probing for servers.
> Here are some firewall logs (sanitized as to our address) showing this:
>
>
> logfile.20001224:Dec 24 16:15:58.327 gate kernel: 232 Sending ICMP host
> (prohibited) unreachable. Original packet
> (dalnet.away.net[199.173.178.1]->server.seg.ip.83: Protocol=TCP[SYN ACK] Port

[snip most of the logs]
> There are many more like this.

I don't suppose you managed to capture any of those packets, did you?  Due
to privacy concerns, I am not allowed to capture packets as they come in
over our gateway.  Of course, I can capture anything that comes directly
to my machine, but they haven't hit me directly since before my awareness
was raised.  I'd be suspicious but we do have an entire Class B network
and I only have a few machines for which I'm personally responsible, and
if these are scans, they are fairly slow (never any more than two hundred
an hour per host).  I've seen people do ftp scans of 35k+ on us in an hour.
We tend to notice those right away  :-)

-- 

Conor McGrath                                           Phone: (773)702-7611
Network Security Officer                                Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

Attachment: _bin
Description: