[Dshield] massive scans on 255.255.255.255:80

security@admin.fulgan.com security at admin.fulgan.com
Tue Aug 7 13:32:00 GMT 2001


That means that either the attacker is local or someone is not doing
his job configuring routers: this is global broadcasts and it
shouldn't be able to cross routers. In fact, it's disabled by default
on all routers that I know of.

Now, given the fact that it seems to be coming from several IPs, with
port 80, I would think that the problem is your log file. Perhaps it's
confusing "subnet broadcasts" (that's packets sent to the broadcast
address of your network) with global broadcasts (the all-network
broadcast 255.255.255.255). The former is generated by CodeRed random
IP generator and WILL cross routers (although, a well-behaved and
firewalled router will not carry local broadcasts)

Good luck, Stephane

klco> Hi,

klco> anybody else sees this? One machine I'm administering gets hit with
klco> Broadcast packages to port 80. It's all crushing on the firewall, but
klco> still. I mean, being tcp and all, what's a broadcast package worth then?
klco> Can you still map a subnet or so? The packages are coming from a
klco> multitude of different addresses.

klco> Klaus



-- 
Best regards,
 security                            mailto:security at admin.fulgan.com




More information about the list mailing list