[Dshield] Possible Intrusion Attempt?

Kevin kkadow at gmail.com
Mon Aug 1 21:38:11 GMT 2005

On 7/30/05, Kriley <forum at dshield.org> wrote:
> Interesting thread. I am having essentially the same problem. 
> cook along for months and all is well then recently someone at 
> slips past my router every day for at least 100 to 150 times
> with attempts at ports ranging between 1053 and 4953. As per the thread
> my McAfee firewall catches them. Since this is only one source and the
> only intrusion I just banned the IP address.

IMHO, 99.999% of the packets people report on TCP/80 and TCP/53 are 
NOT intrusions at all, are false alarms resulting from the limitations of
many (most?) "stateful" packet filtering "firewalls", network or host based.

When I look at source reports (http://isc.sans.org/source_report.php)
for the static IP addresses I operate, personally, for my not-for-profit ISP,
and professionally for my employer (in total, well over a million routable IPs),
I see numerous DShield reports for "attacks" originating from currently
active server  addresses in these subnets.

Reviewing the ISC tables shows reports claiming "attacks" sourced from
UDP/53 originating from our DNS servers,  sourced from TCP/80 from our
web servers, and destined for TCP/53 and UDP/80 from my outbound
web browsing gateway.

In _every_single_case_ where I've investigated such a reported "attack",
the final determination was that this was a false positive, usually caused
by the reporting party failing to recognizing a delayed DNS reply or a
final TCP reset, because (guessing here) the record of their original
outbound request had already expired from their state table, so the
firewall no longer recognized legitimate answers to their own queries.

> Disconcerting none the less.

Disconcerting is right, but for a different reason.

Kevin Kadow

More information about the list mailing list