[unisog] Previous Thread on Increased Probes

Glenn Forbes Fleming Larratt glratt at io.com
Fri Jul 23 17:45:57 GMT 2004


We have noted huge volumes of identd traffic - a  summary report
covering a period of 30 minutes is appended below.

You can imagine how frustrating it is to me that my management won't
even discuss a response, and appear content to just let it happen.

	-g

On Fri, 23 Jul 2004, Lois Lehman wrote:

> Sorry to bring this up again but a colleague at another university has
> asked me if anyone has seen a recent flood of attacks on their address
> space similar to what he experienced a couple of weeks ago.  I remember
> there was some talk, maybe on this list, about seeing incoming packets
> from many sources with numbers near a thousand.  But in cleaning out my
> Inbox after a vacation, I must have deleted that information.
> 
> Here is a sample of some of the traffic from one source found in his
> logs:
> 
> Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
> Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120
> permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
> 
> 
> Is this what others were seeing, an attack on port 23?  Has anyone
> determined the purpose of this flood?
> 
> Thanks!
> 
> Lois Lehman
> College Network Security Manager
> Physical Sciences Computer Support Manager
> College of Liberal Arts & Sciences
> Arizona State University
> 480-965-3139
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
Date: Fri, 23 Jul 2004 11:35:53 -0500 (CDT)
From: 
To: 
Subject: (snort attack watch): summary report


Since Jul 23 11:06:28 :

 notifications:
61.110.247.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
211.172.57.99 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
201.254.148.62 TCP 113 permit: 50 hits, 22 uniques, 22 src ports
61.155.84.29 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
219.255.68.172 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
221.138.9.164 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
65.95.254.138 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
61.105.254.32 TCP 113 permit: 64 hits, 32 uniques, 32 src ports
65.92.156.111 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
210.219.180.100 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
61.75.136.99 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
211.213.125.183 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
210.122.224.83 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
221.146.109.184 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
64.230.172.167 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
211.209.62.164 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
211.204.130.185 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
61.98.91.43 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
65.95.127.216 TCP 113 permit: 54 hits, 27 uniques, 27 src ports
211.224.17.202 TCP 113 permit: 80 hits, 39 uniques, 39 src ports
81.202.83.33 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
61.254.135.218 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
211.190.175.3 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
221.162.127.245 TCP 113 permit: 86 hits, 41 uniques, 41 src ports
65.220.125.76 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
61.111.239.218 TCP 113 permit: 84 hits, 39 uniques, 39 src ports
64.229.30.125 TCP 113 permit: 68 hits, 34 uniques, 33 src ports
69.156.96.106 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
201.254.148.63 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
220.86.11.202 TCP 113 permit: 52 hits, 22 uniques, 22 src ports
65.94.41.121 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
218.50.48.213 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
24.100.182.172 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
67.70.112.119 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
211.211.41.70 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
219.241.200.50 TCP 113 permit: 74 hits, 34 uniques, 34 src ports
211.212.199.250 TCP 113 permit: 70 hits, 31 uniques, 31 src ports
65.78.21.3 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
211.212.60.199 TCP 113 permit: 70 hits, 33 uniques, 33 src ports
69.158.14.114 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
210.114.243.5 TCP 113 permit: 54 hits, 26 uniques, 25 src ports
65.95.1.67 TCP 113 permit: 70 hits, 33 uniques, 32 src ports
222.232.159.199 TCP 113 permit: 64 hits, 30 uniques, 30 src ports
67.52.51.206 TCP 113 permit: 70 hits, 32 uniques, 32 src ports
69.158.166.104 TCP 113 permit: 70 hits, 34 uniques, 34 src ports
211.49.135.28 TCP 113 permit: 52 hits, 24 uniques, 24 src ports
218.69.61.239 TCP 113 permit: 48 hits, 24 uniques, 23 src ports
4.26.253.85 TCP 113 permit: 42 hits, 21 uniques, 20 src ports
64.229.148.21 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
221.152.77.68 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
211.178.247.87 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
218.158.136.153 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
210.205.183.141 TCP 113 permit: 74 hits, 37 uniques, 37 src ports
211.236.217.17 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
218.237.92.203 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
211.200.86.113 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
211.49.209.182 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
216.57.140.27 TCP 113 permit: 74 hits, 36 uniques, 36 src ports
4.26.149.200 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
221.140.52.138 TCP 113 permit: 70 hits, 31 uniques, 30 src ports
211.178.27.154 TCP 113 permit: 76 hits, 38 uniques, 38 src ports
220.88.180.119 TCP 113 permit: 80 hits, 38 uniques, 35 src ports
221.138.127.115 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
218.62.20.14 TCP 113 permit: 96 hits, 44 uniques, 43 src ports
204.42.9.91 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
219.251.95.88 TCP 113 permit: 80 hits, 38 uniques, 38 src ports
211.59.186.131 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
220.91.4.177 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
63.241.218.92 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
220.117.17.12 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
61.255.37.179 TCP 113 permit: 76 hits, 35 uniques, 35 src ports
65.94.185.245 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
220.137.100.222 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
211.209.66.238 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
218.62.8.78 TCP 113 permit: 66 hits, 31 uniques, 30 src ports
220.117.223.246 TCP 113 permit: 50 hits, 25 uniques, 24 src ports
69.158.164.233 TCP 113 permit: 52 hits, 26 uniques, 25 src ports
61.252.248.27 TCP 113 permit: 72 hits, 34 uniques, 34 src ports
219.254.31.149 TCP 113 permit: 40 hits, 20 uniques, 20 src ports
218.164.97.25 TCP 113 permit: 68 hits, 34 uniques, 34 src ports
211.212.118.238 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
65.168.30.15 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
4.46.136.17 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
218.38.62.233 TCP 113 permit: 82 hits, 41 uniques, 41 src ports
218.172.136.130 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
61.248.143.182 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
81.49.189.43 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
218.238.183.224 TCP 113 permit: 46 hits, 22 uniques, 21 src ports
211.236.206.145 TCP 113 permit: 60 hits, 29 uniques, 29 src ports
221.138.217.94 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
211.201.232.229 TCP 113 permit: 62 hits, 31 uniques, 31 src ports
69.158.136.208 TCP 113 permit: 64 hits, 32 uniques, 31 src ports
24.153.217.37 TCP 113 permit: 78 hits, 38 uniques, 38 src ports
211.206.106.55 TCP 113 permit: 84 hits, 42 uniques, 41 src ports
211.206.48.103 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
61.80.177.209 TCP 113 permit: 70 hits, 35 uniques, 35 src ports
4.46.125.203 TCP 113 permit: 48 hits, 23 uniques, 23 src ports
219.255.18.34 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
69.158.78.141 TCP 113 permit: 48 hits, 24 uniques, 24 src ports
4.14.131.47 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
61.98.6.106 TCP 113 permit: 56 hits, 28 uniques, 28 src ports
219.240.24.254 TCP 113 permit: 76 hits, 36 uniques, 36 src ports
219.241.86.107 TCP 113 permit: 60 hits, 29 uniques, 28 src ports
211.207.73.131 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
218.39.234.82 TCP 113 permit: 56 hits, 28 uniques, 27 src ports
218.90.187.7 TCP 113 permit: 54 hits, 24 uniques, 24 src ports
210.218.154.47 TCP 113 permit: 68 hits, 31 uniques, 31 src ports
209.76.255.250 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
128.91.92.116 TCP 113 permit: 54 hits, 26 uniques, 26 src ports
140.129.75.65 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
81.195.72.98 TCP 113 permit: 50 hits, 25 uniques, 25 src ports
61.138.179.30 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
61.98.125.151 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
61.255.16.76 TCP 113 permit: 76 hits, 37 uniques, 37 src ports
211.243.93.223 TCP 113 permit: 42 hits, 20 uniques, 20 src ports
211.204.200.86 TCP 113 permit: 84 hits, 41 uniques, 41 src ports
61.10.148.173 TCP 113 permit: 58 hits, 28 uniques, 28 src ports
221.142.2.169 TCP 113 permit: 46 hits, 22 uniques, 22 src ports
61.83.248.37 TCP 113 permit: 58 hits, 29 uniques, 29 src ports
64.229.28.51 TCP 113 permit: 44 hits, 22 uniques, 22 src ports
64.231.66.14 TCP 113 permit: 66 hits, 32 uniques, 32 src ports
211.187.21.160 TCP 113 permit: 50 hits, 24 uniques, 23 src ports
211.210.233.213 TCP 113 permit: 54 hits, 25 uniques, 25 src ports
219.254.63.114 TCP 113 permit: 52 hits, 25 uniques, 25 src ports
61.231.116.23 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
221.138.195.79 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
221.140.70.150 TCP 113 permit: 70 hits, 35 uniques, 34 src ports
211.216.211.249 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
211.49.151.179 TCP 113 permit: 74 hits, 36 uniques, 35 src ports
210.217.161.202 TCP 113 permit: 66 hits, 31 uniques, 31 src ports
211.179.215.5 TCP 113 permit: 64 hits, 30 uniques, 28 src ports
211.197.71.157 TCP 113 permit: 62 hits, 30 uniques, 30 src ports
64.230.131.155 TCP 113 permit: 46 hits, 21 uniques, 21 src ports
84.97.129.246 TCP 113 permit: 72 hits, 35 uniques, 35 src ports
211.201.227.75 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
211.190.145.155 TCP 113 permit: 52 hits, 26 uniques, 26 src ports
218.50.110.14 TCP 113 permit: 56 hits, 27 uniques, 27 src ports
219.255.5.106 TCP 113 permit: 50 hits, 24 uniques, 24 src ports
67.71.107.80 TCP 113 permit: 60 hits, 28 uniques, 28 src ports
219.250.221.211 TCP 113 permit: 68 hits, 32 uniques, 32 src ports
69.156.112.20 TCP 113 permit: 46 hits, 23 uniques, 23 src ports
81.202.4.106 TCP 113 permit: 44 hits, 21 uniques, 21 src ports
166.91.254.254 TCP 113 permit: 214 hits, 104 uniques, 104 src ports
61.98.1.48 TCP 113 permit: 42 hits, 21 uniques, 21 src ports
219.241.129.99 TCP 113 permit: 62 hits, 29 uniques, 29 src ports
61.253.69.42 TCP 113 permit: 44 hits, 20 uniques, 20 src ports
218.162.97.245 TCP 113 permit: 40 hits, 20 uniques, 20 src ports


-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.




More information about the unisog mailing list