Andrea, After a cursory overview, my first guess would be that someone is using a tool like nmap to poke around for a hole on port 36 using multiple "decoy" IP addresses (the "-D" option). The packets are too infrequent to argue for a DDoS. However we'll notice that the source port is always port 137, which would also make me suspect a coordinated probe from bots. I would think nmap from a single machine would generate packets with at least somewhat varying source ports. From http://www.iana.org/assignments/port-numbers: # 36/tcp Unassigned # 36/udp Unassigned time 37/tcp Time time 37/udp Time # 40/tcp Unassigned # 40/udp Unassigned ... no standard uses for 36 (most frequently scanned) and 40. I wonder if this d00d is looking for more bots configured to listen on one of those 3 ports. An (admittedly brief) google search doesn't show much for these ports. Anyone have more info. on these (that may know more about bots than I)? You may want to do a ping sweep and nslookup on the source IP's to see if they're legit. Some things to think about: Is the host alive? Does its reverse DNS resolve to some sort of modem pool (to indicate a home user)? Another thing you may want to do, if you find that one (or more) of the source IP's are legit and alive (and I know this flirts with the grey area of the law): do a portscan to see if any of the people who scanned YOU are listening on those three ports (keep in mind TCP/37 is UTP and may be a genuine service). One thing I can't explain is why you're getting hit so many times at your router (one IP) for these ports. It's not like by knocking harder the hax0r is going to convince you to open up the firewall door... perhaps repeated sweeps of the subnet that my.border.router.ip resides in? Just some thoughts... please feel free to correct me if I'm totally off-base with anything (I'm sure I blew the call somewhere in here :-) ). Mike Cloppert Systems Analyst Fifth Third Bank 513 534 0898 michael.cloppertat_private > -----Original Message----- > From: Andrea Efstathiou [mailto:aefstathiouat_private] > Sent: Monday, January 07, 2002 11:49 AM > To: incidentsat_private > Subject: Strange connection attempts > > > Hi All, > > I was wondering if anyone else was seeing, or has seen > attempts like this > before and/or could tell me what mite be causing them. > > Jan 2 13:42:13 my.domain.com41479: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.106.18.248(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:44:53 my.domain.com41482: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.58.230.212(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:45:08 my.domain.com41484: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.116.251.123(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:46:47 my.domain.com41485: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 195.176.180.174(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:46:58 my.domain.com41487: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:47:58 my.domain.com41502: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 141.217.10.169(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:48:56 my.domain.com41504: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.103.119.138(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:50:08 my.domain.com41506: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.56.168.38(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:51:52 my.domain.com41509: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:52:14 my.domain.com41510: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 204.210.232.253(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:56:01 my.domain.com41516: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:56:39 my.domain.com41517: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 209.107.57.252(137) -> my.border.router.ip(36), 1 packet > Jan 2 13:56:56 my.domain.com41518: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 216.191.217.66(137) -> my.border.router.ip(36), 2 packets > Jan 2 13:57:56 my.domain.com41519: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 204.210.232.253(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:00:58 my.domain.com41527: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:01:27 my.domain.com41528: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 212.131.230.179(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:01:57 my.domain.com41529: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:05:38 my.domain.com41534: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 207.173.208.254(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:06:00 my.domain.com41536: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 202.8.234.234(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:06:57 my.domain.com41539: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:07:39 my.domain.com41540: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:09:25 my.domain.com41544: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:13:53 my.domain.com41559: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:17:19 my.domain.com41565: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 66.168.212.107(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:19:50 my.domain.com41568: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 207.40.241.184(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:20:59 my.domain.com41569: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.81.200.98(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:22:59 my.domain.com41573: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 66.168.212.107(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:23:59 my.domain.com41576: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 203.247.220.183(137) -> my.border.router.ip(36), 3 packets > Jan 2 14:24:29 my.domain.com41578: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 158.194.80.59(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:24:59 my.domain.com41579: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 207.40.241.184(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:25:59 my.domain.com41581: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.95.243.199(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:27:28 my.domain.com41585: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.204.206.98(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:27:48 my.domain.com41586: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.197.234.119(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:30:00 my.domain.com41589: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 158.194.80.59(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:30:54 my.domain.com41592: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:32:02 my.domain.com41596: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.159.100.37(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:33:00 my.domain.com41599: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.197.234.119(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:34:38 my.domain.com41600: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 213.221.145.131(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:36:00 my.domain.com41602: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 144.92.175.159(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:40:01 my.domain.com41610: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 213.221.145.131(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:40:56 my.domain.com41612: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:41:02 my.domain.com41614: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 128.163.94.92(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:41:35 my.domain.com41615: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 168.131.57.87(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:41:53 my.domain.com41616: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.83.39.140(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:42:23 my.domain.com41618: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.149.128.36(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:44:21 my.domain.com41623: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 213.45.107.130(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:46:01 my.domain.com41627: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:47:01 my.domain.com41629: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.83.39.140(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:50:11 my.domain.com41632: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 142.103.165.51(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:51:03 my.domain.com41637: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.20.105.233(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:51:40 my.domain.com41638: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.33.170.194(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:54:02 my.domain.com41642: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.149.128.36(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:54:57 my.domain.com41644: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 211.171.214.131(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:55:18 my.domain.com41646: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 212.125.225.165(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:55:47 my.domain.com41647: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.198.44.4(137) -> my.border.router.ip(36), 1 packet > Jan 2 14:57:03 my.domain.com41652: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.20.105.233(137) -> my.border.router.ip(36), 2 packets > Jan 2 14:58:56 my.domain.com41654: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 202.180.172.8(137) -> my.border.router.ip(36), 1 packet > Jan 2 15:00:03 my.domain.com41659: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 211.171.214.131(137) -> my.border.router.ip(36), 2 packets > Jan 2 15:01:48 my.domain.com41663: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 211.219.43.175(137) -> my.border.router.ip(36), 1 packet > Jan 2 15:04:03 my.domain.com41667: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 202.180.172.8(137) -> my.border.router.ip(36), 2 packets > Jan 2 15:07:04 my.domain.com41672: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 211.219.43.175(137) -> my.border.router.ip(36), 2 packets > > Jan 3 09:04:37 my.domain.com41870: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.196.28.67(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:05:48 my.domain.com41871: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 209.91.178.156(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:07:04 my.domain.com41873: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.207.157.172(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:09:43 my.domain.com41875: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.212.205.68(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:10:11 my.domain.com41876: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.63.88.86(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:10:28 my.domain.com41877: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.196.28.67(137) -> my.border.router.ip(37), 2 packets > Jan 3 09:10:45 my.domain.com41878: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 144.92.175.27(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:12:04 my.domain.com41880: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 156.3.31.177(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:12:13 my.domain.com41881: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 4.3.205.254(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:12:29 my.domain.com41882: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 24.207.157.172(137) -> my.border.router.ip(37), 2 packets > Jan 3 09:12:33 my.domain.com41883: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.107.131.247(137) -> my.border.router.ip(37), 1 packet > Jan 3 09:15:29 my.domain.com41885: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.63.88.86(137) -> my.border.router.ip(37), 2 packets > Jan 3 09:16:29 my.domain.com41886: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 144.92.175.27(137) -> my.border.router.ip(37), 2 packets > Jan 3 09:17:29 my.domain.com41887: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 156.3.31.177(137) -> my.border.router.ip(37), 2 packets > Jan 3 09:18:29 my.domain.com41888: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.107.131.247(137) -> my.border.router.ip(37), 2 packets > > Jan 4 17:42:43 my.domain.com42179: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 208.63.124.173(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:43:33 my.domain.com42181: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 206.142.24.160(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:44:12 my.domain.com42183: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:44:33 my.domain.com42184: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:44:44 my.domain.com42185: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.116.246.179(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:45:51 my.domain.com42187: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 209.251.16.2(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:46:45 my.domain.com42188: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 206.69.196.90(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:47:04 my.domain.com42189: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 62.142.203.158(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:47:33 my.domain.com42190: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 66.169.232.55(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:49:51 my.domain.com42193: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:50:51 my.domain.com42194: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 209.251.16.2(137) -> my.border.router.ip(40), 2 packets > Jan 4 17:51:21 my.domain.com42195: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 134.102.68.26(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:52:30 my.domain.com42196: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 130.184.111.212(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:52:51 my.domain.com42197: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:53:22 my.domain.com42198: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 137.204.133.109(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:54:51 my.domain.com42200: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.116.246.179(137) -> my.border.router.ip(40), 3 packets > Jan 4 17:56:24 my.domain.com42201: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:56:28 my.domain.com42202: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 80.116.86.119(137) -> my.border.router.ip(40), 1 packet > Jan 4 17:56:52 my.domain.com42204: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 134.102.68.26(137) -> my.border.router.ip(40), 2 packets > Jan 4 17:57:52 my.domain.com42205: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 130.184.111.212(137) -> my.border.router.ip(40), 2 packets > Jan 4 17:58:52 my.domain.com42206: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 137.204.133.109(137) -> my.border.router.ip(40), 2 packets > Jan 4 18:01:52 my.domain.com42209: %SEC-6-IPACCESSLOGP: list > inbound denied > udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet > > Regards, > > Andrea Efstathiou > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:09:30 PST