Has anyone seen probes like this in the last few days? I've never seen them before, then last night i got more than 300 attempts in a little over 2 hours. Sep 4 18:53:39 xxx kernel: Packet log: input DENY ppp0 PROTO=6 a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65349 F=0x4000 T=117 SYN (#67) Sep 4 18:53:40 xxx kernel: Packet log: input DENY ppp0 PROTO=6 b.b.18.36:1039 x.x.16.93:8500 L=48 S=0x00 I=43805 F=0x4000 T=123 SYN (#67) Sep 4 18:53:42 xxx kernel: Packet log: input DENY ppp0 PROTO=6 a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65351 F=0x4000 T=117 SYN (#67) Sep 4 18:53:47 xxx kernel: Packet log: input DENY ppp0 PROTO=6 b.b.18.36:1039 x.x.16.93:8500 L=48 S=0x00 I=44317 F=0x4000 T=123 SYN (#67) Sep 4 18:53:48 xxx kernel: Packet log: input DENY ppp0 PROTO=6 a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65427 F=0x4000 T=117 SYN (#67) The scans came from 4 different IP addresses one of which also tried ports 15453 and 26138, and another which also tried port 20687. Another tried port 20687 without trying 8500. The source addresses are from two different networks, but both are in the local geographical region. I wondered whether it was some sort of gaming or file sharing, where the initial setup is done via http to a central server and the subsequent connections are peer-to-peer. However, none of the users wants to own up to doing anything (surprise, surprise ;-). Paul ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 08:33:11 PDT