On Sat, Nov 23, 2002 at 05:41:12PM -0500, Esler, Joel -- Sytex Contractor wrote: > well I don't have whole captures of the packets. In case of SYN packets payload isn't important. Those SYN packets were the first step in three-way handshake. Of course, even if it was a part of - for example - SYN scan and a full connection was never meant to be done it still isn't "an attack". > But something was trying > to connect to TCP port 2599. I don't know what that is. OK, I understand you're just curious, but IMHO being interested in all SYN packets your server has respond to it's too paranoic approach. Nowadays nets are full of various robots, worms, automated tools and crawlers that are searching for data, informations valuable in bussines, statistics and so on. Also people are making mistakes leaving their misconfigured applications running all night, maybe it's just some enthusiast of networking that is testing his software, and he typed some random IP, and it was yours IP. It's important to trace new blackhat trends and new worms (or just bugs used by them), but, to do that you need to react on "incidents" like this by starting servers on ports someone's trying to connect to (then you need to recognize protocol used, and play with it, but it costs. It costs a lot of work and time). Co, IMHO, currently we can say, that what you've observed it wasn't attack. It was to early to confirm about a probe of intrusion. Bye :) -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 21:34:32 PST