[Dshield] massive scans on 255.255.255.255:80

k.lichtenwalder@computer.org k.lichtenwalder at computer.org
Tue Aug 7 21:13:01 GMT 2001


security at admin.fulgan.com schrieb:
> 
> That means that either the attacker is local or someone is not doing
> his job configuring routers: this is global broadcasts and it

I guess it's the second thing. It's the external interface and honestly,
I don't trust the ISP involved not that much. I do have a second system
with another ISP, with about 30 webservers active in a full /24 net,
with the same fw rules, and I don't see those addresses, not because
they could be from an internal network but because that ISP is much more
knowledgeable.

> shouldn't be able to cross routers. In fact, it's disabled by default
> on all routers that I know of.

Yeah, right, see above... Also, I'd wager, they use source routing,
which is disabled on that system also...
> 
> Now, given the fact that it seems to be coming from several IPs, with
> port 80, I would think that the problem is your log file. Perhaps it's
> confusing "subnet broadcasts" (that's packets sent to the broadcast
> address of your network) with global broadcasts (the all-network
> broadcast 255.255.255.255). The former is generated by CodeRed random
> IP generator and WILL cross routers (although, a well-behaved and
> firewalled router will not carry local broadcasts)
 
Well, it's indeed all-network broadcast. And it's coming from external.
But it looks like I should take that to the ISP involved...

Tnx,
Klaus
-- 
------------------------------------------------------------------------ 
 Klaus Lichtenwalder, Dipl. Inform.,       http://www.webforum.de/Klaus/
 Fax +49-(0)89-91072699                            Lichtenwalder at ACM.org
 NIC: KL2100, KL76-RIPE                     K.Lichtenwalder at Computer.org
 PGP Key fingerprint = 2658 EA97 E1A1 2680 5ECA  0036 80F5 F250 3CF8
C2C7




More information about the list mailing list