Re: When not to log

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 05/11/02


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sat, 11 May 2002 12:06:13 +0200

none@nowhere.org wrote:
>
> In article <3CDBCD57.527C1666@daimi.au.dk>, "Kasper Dupont"
> <kasperd@daimi.au.dk> wrote:
>
> > These are not scans, I didn't see any IP trying more than one port. A
> > single IP trying only a single port is normal background noice. And
> > there is nothing strange about three retries, most TCP implementations
> > do that. And some of them are TCP reset packets from port 80 on various
> > machines, I guess you are responsible for them by trying to access some
> > computers without any webservers. Their owners might even think you
> > scanned them. ;-)
>
> Well forgive my ignorance, I'm using Netscape to surf the net, if I
> access a site, after finding it through google, then why is it my fault
> for them to be trying to access/scan my computer?.

It is not scans they are just sending back TCP resets as they should
according to some RFC. I cannot explain why you find links to
nonexisting webservers on google. It could also be the case that
your ISP is completely clueless and ignores their customers abuse,
and thus have gotten a lot of people to just block your IP range in
their firewall.

Your explanations does sound strange, I can come up with one theory
about what is happening:

- You have a RFC 1918 IP address.
- All the servers provided by your ISP also has RFC 1918 addresses.
  This includes DNS, mail, news, etc.
- All your communication with these servers like downloading mail
  can be done with RFC 1918 addresses all the way through, at no
  point you get any other address assigned.
- As soon as you access computers outside your ISPs network they
  must assign you a public IP address.
- The ISP has a router translating your temporary public IP address
  to your RFC 1918 address.
- Since your ISP has a lot more customers than public IP addresses,
  these public addresses will appear to be in use almost all the
  time. And will thus attract lots of scans.
- As soon as you access anything outside you will get all those
  scans for as long as the ISP keeps this public IP address assigned
  for you.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk