On Tue, Dec 11, 2001 at 10:06:15PM -0000, Neil Long wrote: > 6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I > guess. > > % grep dtsp /etc/inetd.conf > # dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd > > % grep dtsp /etc/services > dtspc 6112/tcp #subprocess control Yes, this is exactly why this traffic made me take notice. However, in a private email, it was pointed out to me that I've almost perfectly picked out some of the battle.net servers: Name: useast.battle.net Addresses: 63.240.202.131, 63.240.202.138, 63.240.202.139, 63.240.202.140 And they most definitely do source lots of traffic on 6112/TCP. So, I'm almost certainly wrong about them scanning me. Something else must be happening. Looking further, I've found that the destinations of all of this 6112/TCP traffic appear to be randomly distributed on my networks. Hosts that are most definitely *not* running games (SUNs for example) are being hit. Also, IP address that are not even being used are also getting these packets. So, I dug into my netflows with flowdumper and I've found *tons* of 6112/TCP traffic in 40byte packets with ACK + RST set. And, all of this traffic was coming from the useast.battle.net servers and destined for IP addresses nearly randomly distributed throughout my network. Perhaps I'm just seeing backscatter from DOS attacks on the battle.net servers? The time period during which I saw this traffic was from sometime early on 12/8 through the afternoon on 12/10. Paul -- Paul Dokas dokasat_private ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 19:13:23 PST