Hi. I today installed a log watcher for our router logs - they show all incoming and outgoing connections, complete with source and dest ports, timestamps, packet count, and size - no IP flags or protocol info, though. :( So, the watcher alerts us if any single host tries a large (defined as >3000) number of connections within, say, half an hour. Most normal hosts don't go over about 1,000 connection in this time frame. Seems a decent heuristic for a first check for evildoers, it won't pick up "slow" scans and the like but it's a start. Which leads us to later tonight, when the watcher starts throwing some alerts. Seems like one of our hosts (a win2k machine if we believe nmap) is connecting to lots of other hosts, on port 1214. Approx. 25,000 connections to distinct, random-looking hosts, for that single port number, with a packet count of 3-4 packets each connection. This has been going on over a time frame of 3 hours now, and no signs of slowing down. Wish I could pull this thing off the net myself - unfortunately this will have to wait till morning :( Now, port 1214 is reserved for what is called "Intelligent Communications Protocol" on tcp and KAZAA on udp. I don't know what the first one is, I do know that Kazaa is a file sharing thingy though. The small packet count reminds one of a vulnerability scan. Has there been any vulnerability known re: kazaa (the most probable target)? Thank you all in advance for your time, and sorry for making such a lengthy post. -- Vangelis Haniotakis - Network & Communications Centre, University of Crete ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:13:56 PDT