Security Incidents mailing list archives

Re: 2300 FTP accesses from Korea

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 19 Jun 2001 09:35:43 +1200 (NZST)


On Sun, 17 Jun 2001 22:48:41 -0700 Gregory McCann <cambria () owt com> 
wrote:

Our log files show that someone at two different Korean ip addresses 
tried to access our ftp server (ProFTPD 1.2.0) over 2,300 times on 
Saturday.  What's the point?


There probably is not point.  This activity probably was not 
intentional.  We have seen incidents like this several times over the 
last few years, in several cases the machine that initiated the 
activity was a cache.  

This is most likely a result of broken software on the orginating 
system.  Hmmm... I have also seen browsers retrying for ages when 
connecting to our main ftp server when we are refusing connections 
because the load is too high.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

Huge outgoing ICMP flows Vangelis Haniotakis (Jun 13)
- Re: Huge outgoing ICMP flows Trevor (Jun 13)
- Re: Huge outgoing ICMP flows Chris Ess (Jun 14)
  - Re: Huge outgoing ICMP flows Bryan Andersen (Jun 15)
    - Re: Huge outgoing ICMP flows Kurt Seifried (Jun 17)
    - 2300 FTP accesses from Korea Gregory McCann (Jun 18)
    - Re: 2300 FTP accesses from Korea ecofsky (Jun 18)
    - Re: 2300 FTP accesses from Korea Derek Kwan (Jun 18)
    - Re: 2300 FTP accesses from Korea Russell Fulton (Jun 18)
    - Re: 2300 FTP accesses from Korea Dug Song (Jun 18)
  - Re: Huge outgoing ICMP flows Gary Maltzen (Jun 19)
- Re: Huge outgoing ICMP flows Soeren Ziehe (Jun 15)
- <Possible follow-ups>
- Re: Huge outgoing ICMP flows Robert G. Ferrell (Jun 15)