[Dshield] Weird Unknown Traffic Directed @ tcp/6588

Tom Geairn tgeairn at newviewconsulting.com
Mon Mar 25 13:39:19 GMT 2002

Hash: SHA1


Port 6588 is just another common port for HTTP proxy.  As long as
you're blocking all of this stuff, you should be just fine.  

If it appears that the attacker keeps coming back (increased
frequency of probes from the same subnet), you may want to
temporarily log nearly everything coming through your router and make
sure your not missing something with your firewall or ACLs.  I know
that even a small network can generate tons of log entries in
seconds, but you will sometimes be amazed what you find.  Another
quick technique is to put a packet sniffer on the same segment as the
router and look at everything.  If you have a problem, it will often
show up quickly.

Remember, one of the reasons that we block traffic is that there are
people out there who would otherwise exploit our systems.  Finding
log entries that show someone knocking and not getting in is just
what you expect to find.  Worry much more about the unexplained
traffic increase not accompanied by any unusual log entries!

- -Tom Geairn
NewView Consulting, LLC

- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
Behalf Of Randall Gillespie
Sent: Monday, March 25, 2002 12:47 AM
To: list at dshield.org
Subject: [Dshield] Weird Unknown Traffic Directed @ tcp/6588

Mar 22 07:07:03 -> 216.XXX.XXX.165:21 SYN ******S*
Mar 22 07:07:03 -> 216.XXX.XXX.165:25 SYN ******S*
Mar 22 07:07:03 -> 216.XXX.XXX.165:80 SYN ******S*
Mar 22 07:07:03 -> 216.XXX.XXX.165:110 SYN
Mar 22 07:07:04 -> 216.XXX.XXX.163:119 SYN
Mar 22 07:07:04 -> 216.XXX.XXX.163:1080 SYN
Mar 22 07:07:04 -> 216.XXX.XXX.163:6588 SYN

Version: PGP 7.1


More information about the list mailing list