[Dshield] massive scans on

security@admin.fulgan.com security at admin.fulgan.com
Tue Aug 7 13:32:00 GMT 2001

That means that either the attacker is local or someone is not doing
his job configuring routers: this is global broadcasts and it
shouldn't be able to cross routers. In fact, it's disabled by default
on all routers that I know of.

Now, given the fact that it seems to be coming from several IPs, with
port 80, I would think that the problem is your log file. Perhaps it's
confusing "subnet broadcasts" (that's packets sent to the broadcast
address of your network) with global broadcasts (the all-network
broadcast The former is generated by CodeRed random
IP generator and WILL cross routers (although, a well-behaved and
firewalled router will not carry local broadcasts)

Good luck, Stephane

klco> Hi,

klco> anybody else sees this? One machine I'm administering gets hit with
klco> Broadcast packages to port 80. It's all crushing on the firewall, but
klco> still. I mean, being tcp and all, what's a broadcast package worth then?
klco> Can you still map a subnet or so? The packages are coming from a
klco> multitude of different addresses.

klco> Klaus

Best regards,
 security                            mailto:security at admin.fulgan.com

More information about the list mailing list