Re: 27015 probe increase??

From: bhc2at_private
Date: Wed Jul 11 2001 - 14:09:17 PDT

  • Next message: Captain James T Kirk: "Re: Weird UDP trafic"

    On Tue, 10 Jul 2001, cg wrote:
    > I've seen increased activity on port 27015. In the last half hour I've
    > gotten the following probes. I'm just a lowley dsl user, not even pingable
    > from outside.
    > Rule "gather" blocked (xx.xxx.xxx.xx,27015).  Details:
    
    Port 27015 is the port used for the game "Half-Life," a First Person 
    Shooter. I doubt you have much to worry about, from the fact that this 
    was a two minute log and judging by the number of hits I would havt to 
    guess that your IP (possibly it is assigned using DHCP?) was listed 
    either online at a webpage or one one of the half life servers as hosting 
    a game. Thus users would insruct their machines to connect to yours, in 
    order to play.
    
    The IPs I regonize from the states all appear to be of Cable/DSL origin:
    > Remote address,service is (24.24.150.52,2756)
    > we-24-24-150-52.we.mediaone.net
    > Remote address,service is (24.250.96.93,22952
    > ci170011-a.athen1.ga.home.com
    > Remote address,service is (65.81.53.244,22952)
    > adsl-81-53-244.asm.bellsouth.net
    The gaming community is well known as early adopter of Broadband in the 
    pursuit of lower PING times to the server. 
    If in fact your IP is assigned dynamically (DHCP, etc.) then this sounds 
    very familiar to the port 6346 DOS reported last week; 6346 is actually 
    the port used for the GNutella network; where a user with this IP 
    previously had started and "announced"/broadcast services which you do 
    not support. I hope this calms your fears slightly. It is always good to 
    be diligent about security.
    
    -B
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:33:55 PDT