They (your ISP) are probably right. If your IP changed on 4/3 and on 4/4 you started seeing increased connection attempts to tcp 6346. Then the last owner of your IP probably had gnutella running, broadcasting that IP. You are just probably seeing the residual effects. It looks like the attempts occur 1 every 45 minutes from the same host. Which is not indicative of a widespread DoS attack. The connection attempts would be fast and furious. from bearshare Q: What is a host cache? A: A host cache is a program which hands out IP addresses to gnutella clients. When a gnutella client is started it needs to find some other gnutella clients in order to connect to the network. The host cache provides those IP's. The hostcache is usually the first place you connect to when launching BearShare. Once you have received some addresses from the host cache then you attempt to connect to those addresses. The only reason to communicate with the host cache after that would be if all the IP addresses you had were not working and you needed some more IP addresses to try You really have 2 options. 1- if that port is not opened on your machine and is being dropped, then you can create a rule on your firewall to reject attempts to that port. Instead of silently discarding them (drop). Maybe the master list will get the hint and remove your address. Keep your IP address for now and treat the attempts as frivolous port scans. They are not getting in anyways. 2- If it really bothers you this much. Disconnect from the net and then reconnect, which should result in a new IP. Unless you start seeing massive connection attempts at the rate of several hundred min/sec. Then i would not concern myself too much with it. These are some of the headaches that you have to deal with when you get your IP changes often. Think of it as receiving mail (physical) to the person that used to live in your house. JMO LordInfidel ____________ Long live the BOFH! -----Original Message----- From: kbergenat_private [mailto:kbergenat_private] Sent: Monday, April 14, 2003 6:58 PM To: incidentsat_private Subject: Logging of connects to port 6346 To all, I have read all of the back information that I could find, and still do not have my question answered. While I realize this is an old question, the number of attempted connects that I get seem to be exorbitant. I have logged 7520 attempted connects to my dynamic IP address between the period of 04/03/03 at 09:03 and 04/10/03 at 16:15 ... or approximately 7 1/2 days. The logging is off of my Linksys router using the Kiwi syslogd program. I have tried writing to the ISP of some of more numerous attempts. Most say that if you are talking about port 6346, then it is due to a dynamic IP address change, and there is nothing they will do. This is because they are assuming that you have recently taken over the IP address of a machine running a Gnutella service such as Limewire. I do not believe their answer, because I have been using an "always on" connection. I have had the same IP address since 04/04/03 at 14:29. Therefore, I counter that the connecting machines would not be connecting to me for the reasons that the ISP believes. I believe that the connection attempts must be stemming from another source. The conspiratorial side of me thinks "What better way to attack people then to attack a port that ISP's will ignore complaints on". Has anybody else seen similar problems? Can anybody help me with information on why these connection attempts are so numerous? Regards, Keith Bergen. Here are some sample logs of the connects. Keep in mind that at this point I've had the IP address since 04/03. 2003-04-09 22:03:13 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 2162 65.81.41.141 6346<010> commonModelId 2003-04-09 22:10:13 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 172.184.54.229 4133 65.81.41.141 6346<010> commonModelId 2003-04-09 22:14:34 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 213.93.197.49 52180 65.81.41.141 6346<010> commonModelId 2003-04-09 22:17:41 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 56471 65.81.41.141 6346<010> commonModelId 2003-04-09 22:21:54 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4375 65.81.41.141 6346<010> commonModelId 2003-04-09 22:26:58 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4698 65.81.41.141 6346<010> commonModelId 2003-04-09 22:38:20 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 58305 65.81.41.141 6346<010> commonModelId 2003-04-09 22:44:49 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 64548 65.81.41.141 6346<010> commonModelId 2003-04-09 22:54:42 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4652 65.81.41.141 6346<010> commonModelId 2003-04-09 22:58:55 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 60201 65.81.41.141 6346<010> commonModelId 2003-04-09 23:02:17 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 24.61.163.93 41634 65.81.41.141 6346<010> commonModelId 2003-04-09 23:10:21 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 3120 65.81.41.141 6346<010> commonModelId 2003-04-09 23:10:57 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.98.148.93 2984 65.81.41.141 6346<010> commonModelId 2003-04-09 23:13:16 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 199.222.161.102 59116 65.81.41.141 6346<010> commonModelId 2003-04-09 23:15:10 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 3234 65.81.41.141 6346<010> commonModelId 2003-04-09 23:19:30 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 33887 65.81.41.141 6346<010> commonModelId 2003-04-09 23:34:57 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 1347 65.81.41.141 6346<010> commonModelId 2003-04-09 23:54:13 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 1883 65.81.41.141 6346<010> commonModelId 2003-04-09 23:54:36 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4478 65.81.41.141 6346<010> commonModelId 2003-04-10 00:14:06 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 63.202.234.52 4309 65.81.41.141 6346<010> commonModelId 2003-04-10 00:39:06 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4273 65.81.41.141 6346<010> commonModelId 2003-04-10 00:41:01 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 199.222.161.102 25513 65.81.41.141 6346<010> commonModelId 2003-04-10 01:00:03 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 64925 65.81.41.141 6346<010> commonModelId 2003-04-10 01:22:50 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 80.142.44.128 4713 65.81.41.141 6346<010> commonModelId 2003-04-10 01:23:50 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 2632 65.81.41.141 6346<010> commonModelId 2003-04-10 02:07:55 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4958 65.81.41.141 6346<010> commonModelId 2003-04-10 02:09:05 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 62.119.135.194 1118 65.81.41.141 6346<010> commonModelId 2003-04-10 02:21:43 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 212.239.186.34 1952 65.81.41.141 6346<010> commonModelId 2003-04-10 02:35:44 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 24.61.163.93 56279 65.81.41.141 6346<010> commonModelId 2003-04-10 02:52:12 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 3327 65.81.41.141 6346<010> commonModelId 2003-04-10 03:05:05 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 81.224.231.248 65420 65.81.41.141 6346<010> commonModelId 2003-04-10 03:25:44 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 80.136.105.197 3944 65.81.41.141 6346<010> commonModelId 2003-04-10 03:35:45 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 1826 65.81.41.141 6346<010> commonModelId 2003-04-10 03:38:41 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 66.93.128.118 38561 65.81.41.141 6346<010> commonModelId 2003-04-10 04:19:37 Local7.Error 192.168.1.1 1.3.6.1.4.1.3955.1.1.0 @in 209.217.122.150 4176 65.81.41.141 6346<010> commonModelId ---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 14:23:04 PDT