[unisog] Previous Thread on Increased Probes

Lois Lehman LOIS.LEHMAN at asu.edu
Fri Jul 23 16:28:33 GMT 2004


Sorry to bring this up again but a colleague at another university has
asked me if anyone has seen a recent flood of attacks on their address
space similar to what he experienced a couple of weeks ago.  I remember
there was some talk, maybe on this list, about seeing incoming packets
from many sources with numbers near a thousand.  But in cleaning out my
Inbox after a vacation, I must have deleted that information.

Here is a sample of some of the traffic from one source found in his
logs:

Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets


Is this what others were seeing, an attack on port 23?  Has anyone
determined the purpose of this flood?

Thanks!

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139





More information about the unisog mailing list