[Dshield] 1214 (Kazaa) multiple hits & 80 as well

John Sage jsage at finchhaven.com
Sat Jun 22 05:24:34 GMT 2002


On Fri, Jun 21, 2002 at 06:35:52AM -0500, Ed Truitt wrote:
> Does your ISP supply dynamic (DHCP) addresses, or static?  If the former, it
> may explain (partially) your getting hit with the KaZaA probes - this is
> quite common on dynamically-allocated IPs.

Yet another issue to consider:

If you currently have a dynamic IP that was "owned" previously by a
KaZaA user, that IP address is retained in a cache by the *other*
KaZaA users that person was connecting to..

Follow me?

So when one of those *other* KaZaA users comes online, and/or starts
up KaZaA, he immediately starts scanning that list of IP addresses,
looking for previous partners that are currently online.

I believe this explains why KaZaA probes suddenly appear out of
nowhere, even when you (or I, I'm on a dialup at home..) have been on
the same IP address for hours and hours.


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list