[Dshield] continueing attacks (Angela)

Angel G. Polanco Rodriguez angel at tunku.uady.mx
Mon Mar 11 19:12:20 GMT 2002


Hi,

How I can to filter traffic of RTSP (multimedia traffic, as mp3 files or
napster). This is a problem if the network have a little bandwide.

Thanks ina advance.


                   ************************************
                   |   ANGEL G. POLANCO RODRIGUEZ     |
                   | UNIVERSIDAD AUTONOMA DE YUCATAN  |
                   | DIRECCION      GENERAL        DE |
                   |      DESARROLLO ACADEMICO        |
                   | DEPARTAMENTO  DE  TELEINFORMATICA|
                   | CALLE 59 POR  AV.  ITZAEZ  # 490 |
                   | MERIDA,      YUCATAN,     MEXICO |
                   |      CODIGO POSTAL :  97 000     |
                   |     TELEFONO:52 (99)  23 74 28   |
                   |    E-mail: angel at tunku.uady.mx   |
                   |        http://www.uady.mx        |
                   ************************************






On Mon, 11 Mar 2002, Kelly Martin wrote:

> The port 6970 connections represent RTP/RTSP streaming media connections and
> are probably the result of users on your network attempting to view streamed
> media content.  See, e.g.
> http://www.akamai.com/en/html/misc/support_faq.html. These are not attacks.
>
> Connections to TCP port 113 are not attacks; this is the ident service.  By
> blocking this port, you may interfere with your ability to send email.  If
> you do block it, you should configure your firewall to send back a TCP reset
> or mail delivery will be slowed or prevented entirely.  Does the .69 machine
> send mail to the Internet?
>
> About the only bona fide attacks in this log fragment is the FTP scan from
> ns1.upc.nl (212.83.94.147), the stuff from 10.1.1.68, which is either
> spoofed or the result of network misconfiguration at your site (10.1.1.68 is
> nonroutable, so those packets didn't get to your network in the normal
> manner), and the HTTP scan from 110.200.64.100 (probably Nimda or Code Red).
> None of these, except perhaps the stuff from 10.1.1.68, is a serious
> concern.
>
> Regards,
>
> Kelly Martin
>
> > -----Original Message-----
> > From:	Davicrockit at netscape.net [SMTP:Davicrockit at netscape.net]
> > Sent:	Monday, March 11, 2002 10:35 AM
> > To:	list at dshield.org
> > Cc:	securityoperations at level3.com; seasysadm_unix at interland.com;
> > datasupport at newsouth.net
> > Subject:	[Dshield] continueing attacks  (Angela)
> >
> > Folks,
> > Last week and this morning our network has been under a constant but still
> > denied attack. Below are some of the ports and the ip #s from where they
> > are coming from. My firebox is holding for now...we have at least four
> > different attackers or they are bouncing around everywhere to strike at
> > us. Any info about this would greatly be appreciated. Sorry I have to use
> > my own web email to send this but our email is down and I think it is due
> > to the hacks. The only ports open are 25 & 80. I hope, as well as my
> > partner Brad Shifflet, that we can keep our service up and going.  My
> > email address here at work is dstigers at kaco.org but it is not working now.
> > Here are the logs...
> >
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 647 udp 20 50 205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> >
> >
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> >
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> >
> >
> > 03/11/02 08:24  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> > 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> > 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> >
> >
> > 03/11/02 09:14  firewalld[105]:  deny in eth0 60 tcp 20 52 64.112.189.41
> > 66.147.xxx.69 1848 113 syn (default)
> >
> > 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52 66.111.75.234
> > 66.147.xxx.69 3688 113 syn (default)
> > 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52 66.111.75.234
> > 66.147.xxx.69 3688 113 syn (default)
> >
> >
> >
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> >
> >
> >
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105 212.83.94.147
> > 66.147.xxx.69 4248 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105 212.83.94.147
> > 66.147.xxx.69 4248 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> >
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > --
> > ---------------------------
> > Davicrockit
> > David E. Stigers
> > 8946 Owenton Road
> > Frankfort, KY 40601
> > 502.223.8271
> > ---------------------------
> >
> >
> >
> > __________________________________________________________________
> > Your favorite stores, helpful shopping tools and great gift ideas.
> > Experience the convenience of buying online with Shop at Netscape!
> > http://shopnow.netscape.com/
> >
> > Get your own FREE, personal Netscape Mail account today at
> > http://webmail.netscape.com/
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list