Re: port scans



On Mon, 22 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
article <hlv1rc$a9m$2@xxxxxxxxxxxxxxxxxxxxxxxxxx>, Rick wrote:

Are you saying that they are checking EVERY POSSIBLE IP number?

No - they're not checking the 235 million IPv4 addresses in China,
and similar chunks elsewhere. Say for the hell of it, they are
checking 2/3 of IPv4 address space - I highly doubt they are looking
at that many but that's about 2000 million hosts. They are coming from
several /22s in Hebei province (about half way between Hong Hong and
Beijing) - which is groups of a thousand systems. So each host in a
/22 has to check two million addresses max. Each connection attempt
takes under 100 milliseconds - and they can be run in parallel to
perhaps 50 or 60 _thousand_ attempts per host at any given instant.
This is a set of scripts, not some wanker setting at a keyboard trying
to type in each address to test. Coming back in ten minutes is almost
trivial - do the math.

4 failed attempts from the same originator. I can only see explaining
that by assuming that they somehow KNOW my server is there. How do
they know it is there? Would it help to get a new IP address?

Sorry to disappoint you - but you aren't that important. EVERYONE is
seeing (and ignoring) this stuff. They really aren't picking on your
address any more than they're picking on everyone else.

Old guy
.