Re: When not to log

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 05/11/02 

From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Sat, 11 May 2002 12:06:13 +0200

none@nowhere.org wrote:
>
> In article <3CDBCD57.527C1666@daimi.au.dk>, "Kasper Dupont"
> <kasperd@daimi.au.dk> wrote:
>
> > These are not scans, I didn't see any IP trying more than one port. A
> > single IP trying only a single port is normal background noice. And
> > there is nothing strange about three retries, most TCP implementations
> > do that. And some of them are TCP reset packets from port 80 on various
> > machines, I guess you are responsible for them by trying to access some
> > computers without any webservers. Their owners might even think you
> > scanned them. ;-)
>
> Well forgive my ignorance, I'm using Netscape to surf the net, if I
> access a site, after finding it through google, then why is it my fault
> for them to be trying to access/scan my computer?.

It is not scans they are just sending back TCP resets as they should
according to some RFC. I cannot explain why you find links to
nonexisting webservers on google. It could also be the case that
your ISP is completely clueless and ignores their customers abuse,
and thus have gotten a lot of people to just block your IP range in
their firewall.

Your explanations does sound strange, I can come up with one theory
about what is happening:

- You have a RFC 1918 IP address.
- All the servers provided by your ISP also has RFC 1918 addresses.
  This includes DNS, mail, news, etc.
- All your communication with these servers like downloading mail
  can be done with RFC 1918 addresses all the way through, at no
  point you get any other address assigned.
- As soon as you access computers outside your ISPs network they
  must assign you a public IP address.
- The ISP has a router translating your temporary public IP address
  to your RFC 1918 address.
- Since your ISP has a lot more customers than public IP addresses,
  these public addresses will appear to be in use almost all the
  time. And will thus attract lots of scans.
- As soon as you access anything outside you will get all those
  scans for as long as the ISP keeps this public IP address assigned
  for you. 

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk

Relevant Pages

  • RE: 192.168.x.x oddities
    ... Excluding my computers, broadcast addresses, and network addresses, the ... registered to my ISP, then is blocked thereafter. ... has no open ports to help identify it. ... I was also thinking of leaving the common 192.168.*.* range for other RFC ...
    (Security-Basics)
  • Re: When not to log
    ... I didn't see any IP trying more than one port. ... > nonexisting webservers on google. ... > - You have a RFC 1918 IP address. ... > - All the servers provided by your ISP also has RFC 1918 addresses. ...
    (comp.os.linux.security)
  • Re: Access Web Server in IIS 6.0
    ... My ISP is Adelphia and yes they are blocking ... using to redirect http requests to another port. ... >> The Default Web site is currently configured with default settings, ... >> computers by entering the WAN IP address of my router in the browser ...
    (microsoft.public.inetserver.iis)
  • Re: ISP keeps connecting to my port 445
    ... > incoming connections for port 445 from one of their computers, ... > firewall obviously drops. ... NOT leave that port open, ... ISP has been hacked, so don't think it's someone that works for the ISP. ...
    (comp.security.firewalls)
  • Re: Can receive email via Windows Mail but cannot SEND
    ... The laws of physics don't change for Apple. ... A port 25 block imposed by the ISP is a port 25 block for all computers. ...
    (microsoft.public.windows.vista.mail)