SYN Attacks - how i cant stop it

jhernandez_at_progrexive.com
Date: 02/07/04

  • Next message: Peter Pentchev: "Re: ipfw question"
    Date: Sat,  7 Feb 2004 01:59:14 -0400
    To: "" <freebsd-security@freebsd.org>
    
    

    How i cant stop the SYN and Port Scanner Attacks. I have a attacks all nights.
    Check this.

    Feb 6 11:54:24 TCP: port scan detected [port 6667] from 212.165.80.117 [ports
    63432,63453,63466,63499,63522,...]
    Feb 6 11:58:09 TCP: port scan mode expired for 212.165.80.117 - received a
    total of 38 packets (1064 bytes).
    Feb 6 12:02:33 ICMP: ping flood mode expired for 65.23.218.180 - received a
    total of 562 packets (22480 bytes).
    Feb 6 12:09:51 TCP: port scan detected [port 6667] from 200.37.75.236 [ports
    3192,3247,3309,3362,3421,...]
    Feb 6 12:11:21 TCP: port scan detected [port 6667] from 80.139.185.241 [ports
    3114,3514,3960,4360,4795,...]
    Feb 6 12:12:17 TCP: port scan mode expired for 200.37.75.236 - received a total
    of 27 packets (756 bytes).
    Feb 6 12:19:47 TCP: port scan detected [port 6667] from 80.15.16.77 [ports
    3048,3471,3819,4259,4648,...]
    Feb 6 12:23:58 TCP: port scan detected [port 6667] from 213.6.123.252 [ports
    3129,3947,4690,3577,4343,...]
    Feb 6 12:25:52 TCP: port scan mode expired for 80.15.16.77 - received a total
    of 60 packets (1680 bytes).
    Feb 6 12:31:54 TCP: port scan detected [port 6667] from 212.165.80.117 [ports
    61345,61356,61370,61386,61408,...]
    Feb 6 12:32:04 TCP: port scan detected [port 6667] from 213.6.125.34 [ports
    1157,1509,1928,2294,2741,...]
    Feb 6 12:33:39 TCP: port scan detected [port 6667] from 200.81.81.174 [ports
    4917,4918,4927,4931,4935,...]
    Feb 6 12:34:22 TCP: port scan mode expired for 212.165.80.117 - received a
    total of 26 packets (728 bytes).
    Feb 6 12:34:44 TCP: port scan mode expired for 200.81.81.174 - received a total
    of 16 packets (448 bytes).
    Feb 6 12:42:00 TCP: port scan mode expired for 213.6.125.34 - received a total
    of 93 packets (2604 bytes).
    Feb 6 12:44:45 TCP: port scan mode expired for 213.6.123.252 - received a total
    of 186 packets (5208 bytes).
    Feb 6 12:45:22 TCP: port scan detected [port 6667] from 200.106.106.207 [ports
    18072,18091,18113,18157,18172,...]
    Feb 6 12:49:16 TCP: port scan detected [port 6667] from 200.49.217.132 [ports
    4124,4143,4157,4174,4198,...]
    Feb 6 12:53:29 TCP: port scan mode expired for 80.139.185.241 - received a
    total of 369 packets (11808 bytes).
    Feb 6 13:00:16 TCP: port scan detected [port 9999] from 204.117.88.37 [ports
    4568,4571,4572,4573,4574,...]
    Feb 6 13:01:29 TCP: port scan mode expired for 204.117.88.37 - received a total
    of 352 packets (9856 bytes).
    Feb 6 13:01:52 TCP: port scan detected [port 9999] from 204.117.88.43 [ports
    4883,4885,4886,4887,4888,...]
    Feb 6 13:02:54 TCP: port scan mode expired for 204.117.88.43 - received a total
    of 261 packets (7308 bytes).
    Feb 6 13:04:56 TCP: port scan mode expired for 200.49.217.132 - received a
    total of 125 packets (3500 bytes).
    Feb 6 13:16:37 TCP: port scan mode expired for 200.106.106.207 - received a
    total of 243 packets (6804 bytes).
    Feb 6 13:26:16 TCP: port scan detected [port 6667] from 200.81.85.232 [ports
    1077,1078,1080,1081]
    Feb 6 13:27:16 TCP: port scan mode expired for 200.81.85.232 - received a total
    of 16 packets (448 bytes).
    Feb 6 13:28:11 TCP: port scan detected [port 6667] from 80.38.110.228 [ports
    1040,1494,1901,2310,2695,...]
    Feb 6 13:33:00 TCP: SYN scan mode expired for pD952BE7F.dip.t-dialin.net
    (217.82.190.127) - received a total of 1073 packets
    Feb 6 13:33:17 TCP: port scan mode expired for
    ANancy-106-1-4-183.w81-248.abo.wanadoo.fr (81.248.192.183) - received a total
    Feb 6 13:35:33 TCP: port scan mode expired for
    host231-253.pool8175.interbusiness.it (81.75.253.231) - received a total of 25
    Feb 6 13:44:25 ICMP: ping flood mode expired for 210.92.221.49 - received a
    total of 468 packets (30657744 bytes).
    Feb 6 13:46:13 TCP: port scan detected [port 6667] from A7b25.a.pppool.de
    (213.6.123.37) [ports 3485,3573,3763,4159,4297,...]
    Feb 6 13:54:26 TCP: port scan detected [port 6667] from
    host231-253.pool8175.interbusiness.it (81.75.253.231) [ports 1070,352
    Feb 6 14:35:56 TCP: port scan mode expired for
    host231-253.pool8175.interbusiness.it (81.75.253.231) - received a total of 12
    Feb 6 14:46:39 TCP: port scan mode expired for
    228.Red-80-38-110.pooles.rima-tde.net (80.38.110.228) - received a total of 18
    Feb 6 14:50:45 TCP: port scan detected [port 6667] from A7c22.a.pppool.de
    (213.6.124.34) [ports 3326,3553,3604,3791,3846,...]
    Feb 6 14:56:25 ICMP: ping flood detected from 210.92.221.49

    Regards,
    Jean

    -------------------------------------------------
    This mail sent through ICENetworks.com: http://www.icenetworks.com

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Peter Pentchev: "Re: ipfw question"

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
      (SuSE)
    • Re: UDP vs TCP
      ... TCP for instance will break up a large packet into smaller ... into the packets and then the receiving app would have to read ... Network Layer -> ethernet ... DOMAIN over port 53 ...
      (microsoft.public.vb.enterprise)
    • Re: Firewall Scan
      ... don't think this is nmap getting confused as hping produces similar ... Try setting some TCP options. ... packets where the TCP header is 20 bytes. ... I was doing a normal TCP Scan on port 5900, when I found a strange result: ...
      (Pen-Test)
    • Re: What is going on with my Dialup?
      ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
      (comp.os.linux.networking)
    • Re: OT .. Road Warrior communications question
      ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
      (alt.guitar.bass)