Re: port scans
- From: Rick <rick0.merrill@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Feb 2010 11:00:50 -0500
Moe Trin wrote:
On Mon, 22 Feb 2010, in the Usenet newsgroup comp.security.firewalls, in
article<hlv1rc$a9m$2@xxxxxxxxxxxxxxxxxxxxxxxxxx>, Rick wrote:
Are you saying that they are checking EVERY POSSIBLE IP number?
No - they're not checking the 235 million IPv4 addresses in China,
and similar chunks elsewhere. Say for the hell of it, they are
checking 2/3 of IPv4 address space - I highly doubt they are looking
at that many but that's about 2000 million hosts. They are coming from
several /22s in Hebei province (about half way between Hong Hong and
Beijing) - which is groups of a thousand systems. So each host in a
/22 has to check two million addresses max. Each connection attempt
takes under 100 milliseconds - and they can be run in parallel to
perhaps 50 or 60 _thousand_ attempts per host at any given instant.
This is a set of scripts, not some wanker setting at a keyboard trying
to type in each address to test. Coming back in ten minutes is almost
trivial - do the math.
4 failed attempts from the same originator. I can only see explaining
that by assuming that they somehow KNOW my server is there. How do
they know it is there? Would it help to get a new IP address?
Sorry to disappoint you - but you aren't that important. EVERYONE is
seeing (and ignoring) this stuff. They really aren't picking on your
address any more than they're picking on everyone else.
So you're saying it is a coincidence and I should "echo off paranoia".
One more thing however, it only took 15 minutes from the first use of the ftp server before these, let's call 'em probes, started. ONce upon
a time (before sonicwall) they would try a username-password script.
- Prev by Date: Re: port scans
- Next by Date: Re: port scans
- Previous by thread: Re: port scans
- Next by thread: Re: port scans