[Dshield] Is this something to worry about?

Jonathan G. Lampe jonathan at stdnet.com
Thu Oct 24 20:23:59 GMT 2002


It's a classic (noisy) portscan.  1 really fast TCP scan.  1 slower (two 
every 8 seconds) UDP scan.

Notice how the source ports are incrementing - suggesting the packets are 
all coming from the same machine.  (It is possible to lie about an IP 
address with a simple SYN packet.)

If it's still going on, I'd contact these guys 
(http://www.dslreports.com/secureme) and tell them to knock it off.  I may 
also query my user community and see if someone requested one of these 
scans.  (Supposedly all port scan inits are logged by username, so you 
might be able to find out from dslreports.com who requested the scan if 
noone fesses up!)

-jgl

At 08:00 AM 10/24/2002, you wrote:
>I've had more 700 hits within about 2 minutes on various ports and since 
>I'm far from being an expert in security (just trying to keep an eye on 
>what's going) I thought I would rather ask.
>
>Can somebody please let me know if this is anything serious or just a noise?
>
>Thanks
>Nikolai
>
>Here's a log from the firewall:
>
>From: 209.191.132.40 (bronze.dslreports.com)
>To: 203.45.109.115
>
>Firewall log entries:
>
>type,date,time,source,destination,transport
>FWIN,2002/10/20,2:07:10 PM +10:00 
>GMT,209.191.132.40:62104,203.45.109.115:53,UDP
>FWIN,2002/10/20,2:07:02 PM +10:00 
>GMT,209.191.132.40:62103,203.45.109.115:53,UDP
>FWIN,2002/10/20,2:06:54 PM +10:00 
>GMT,209.191.132.40:62104,203.45.109.115:99,UDP
>FWIN,2002/10/20,2:06:46 PM +10:00 
>GMT,209.191.132.40:62103,203.45.109.115:99,UDP
>FWIN,2002/10/20,2:06:38 PM +10:00 
>GMT,209.191.132.40:62104,203.45.109.115:20,UDP
>FWIN,2002/10/20,2:06:30 PM +10:00 
>GMT,209.191.132.40:62103,203.45.109.115:20,UDP
>FWIN,2002/10/20,2:06:14 PM +10:00 
>GMT,209.191.132.40:51102,203.45.109.115:932,TCP (flags:S)
>FWIN,2002/10/20,2:06:14 PM +10:00 
>GMT,209.191.132.40:51091,203.45.109.115:277,TCP (flags:S)

[ SNIP]

>FWIN,2002/10/20,2:05:46 PM +10:00 
>GMT,209.191.132.40:50175,203.45.109.115:662,TCP (flags:S)
>FWIN,2002/10/20,2:05:46 PM +10:00 
>GMT,209.191.132.40:50212,203.45.109.115:224,TCP (flags:S)




More information about the list mailing list