Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Conor McGrath <conormc () uchicago edu>
Date: Thu, 28 Dec 2000 17:48:39 -0600
Bill_Royds () pch gc ca once said:
We have been getting the same traffic hitting our firewall. More interestingly it is being sent to non-existent hosts behind our firewall which could never have sent the original packets and we do not allow IRC out anyway. It could be replies to spoofed packets or a way of probing for servers. Here are some firewall logs (sanitized as to our address) showing this: logfile.20001224:Dec 24 16:15:58.327 gate kernel: 232 Sending ICMP host (prohibited) unreachable. Original packet (dalnet.away.net[199.173.178.1]->server.seg.ip.83: Protocol=TCP[SYN ACK] Port
[snip most of the logs]
There are many more like this.
I don't suppose you managed to capture any of those packets, did you? Due to privacy concerns, I am not allowed to capture packets as they come in over our gateway. Of course, I can capture anything that comes directly to my machine, but they haven't hit me directly since before my awareness was raised. I'd be suspicious but we do have an entire Class B network and I only have a few machines for which I'm personally responsible, and if these are scans, they are fairly slow (never any more than two hundred an hour per host). I've seen people do ftp scans of 35k+ on us in an hour. We tend to notice those right away :-) -- Conor McGrath Phone: (773)702-7611 Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
Attachment:
_bin
Description:
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)