[Dshield] Noise or a methodical approach?

jayjwa jayjwa at atr2.ath.cx
Mon Jan 19 02:31:05 GMT 2004



On Fri, 16 Jan 2004, Chris Brenton wrote:

> On Fri, 2004-01-16 at 10:37, Glenn Jarvis wrote:
> > Forgive the length.... I noticed this in my logs this morning while I
> > was going through them. Two sources , mostly from 207.44.200.14
> >   Drop TCP packet from WAN src:207.44.200.14:80 dst:67.70.202.103:60716
> > Rule: Default deny
> > Jan/15/2004 17:25:46
>
> Humm. could be a timed-out HTTP session. 207.44.200.14 does have 80/TCP
> listening (Apache). Do your logs show any outbound HTTP sessions to this
> IP?
> Owner is "Everyones Internet" in Houston, TX so it seems like it might
> be someone's Web server hanging off a DSL line. That would explain there
> being no PTR and even possibly the self issued certificate.

Hmmm..."Everyones Internet" out of TX? I swear I saw that in the logs
someplace, I'll have another look, and post back if it's anything
worthwhile. My "ban candidate" for today is genuity/level3.net- various
misbehaving.

[jayjwa]RLF#37






More information about the list mailing list