I've been getting a good amount of rather odd traffic for the past six hours or so. 203.208.171.210 (registered to a company in Singapore) has been lobbing TCP to apparently random ports and hosts on my network. I can't detect a pattern. The rate is pretty low, too: one packet every couple of minutes or so. A sample log extract is appended. Is this backscatter from someone else scanning using some of my IP addresses for spoofing, or some sort of network mapping technique I haven't heard of yet? Also, someone at Earthlink (in the office, it looks like; 207.217.94.249), swept UDP from port 33476 to 33523 to an IP on our network that is not currently being used (and in fact has not been used in a very long time), one packet per five seconds, ascending port numbers, no repetitions. Is this traceroute? Kelly Mar 30 12:19:03 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1196 dst inside:x.x.60.72/1045 Mar 30 12:19:04 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1252 dst inside:x.x.60.84/1267 Mar 30 12:19:32 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1138 dst inside:x.x.60.76/1156 Mar 30 12:23:12 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1167 dst inside:x.x.60.157/1278 Mar 30 12:25:18 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1192 dst inside:x.x.60.247/1154 Mar 30 12:30:43 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1094 dst inside:x.x.60.209/1206 Mar 30 12:33:07 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1269 dst inside:x.x.60.125/1091 Mar 30 12:34:13 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1027 dst inside:x.x.60.156/1166 Mar 30 12:36:37 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1054 dst inside:x.x.60.195/1264 Mar 30 12:37:46 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1135 dst inside:x.x.60.212/1097 Mar 30 12:37:51 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1104 dst inside:x.x.60.240/1121 Mar 30 12:40:57 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1266 dst inside:x.x.60.36/1270 Mar 30 12:52:04 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1067 dst inside:x.x.60.195/1128 Mar 30 13:03:51 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1254 dst inside:x.x.60.106/1153 Mar 30 13:04:00 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1125 dst inside:x.x.60.99/1194 Mar 30 13:10:25 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1175 dst inside:x.x.60.129/1268 Mar 30 13:10:35 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1062 dst inside:x.x.60.186/1247 Mar 30 13:10:49 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1183 dst inside:x.x.60.70/1027 Mar 30 13:10:58 - %PIX-3-106010: Deny inbound tcp src outside:203.208.171.210/1082 dst inside:x.x.60.52/1141 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 21:43:31 PST