tcp 20471 probe?
From: Walter Roberson (roberson@ibd.nrc.ca)Date: 12/23/01
- Next message: Martin Bishop: "Re: What are the disadvantages of Pgp ???"
- Previous message: Walter Roberson: "comp.security.misc mass cancel?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: roberson@ibd.nrc.ca (Walter Roberson) Date: 23 Dec 2001 21:31:55 GMT
Looking through my firewall logs this afternoon, I noticed that
over the last few days, there have been a couple of tries per
hour to contact one of my internal machines [a waste of time, as
the firewall is configured not to let through packets to that address.]
Looking through the logs, I see that the attempts are arriving
from all over the world, and that the destination TCP port number
(i.e., the port number on my end) is random (and sometimes less than 1024).
I also see that the -source- TCP port (the port number
on the end trying to make the connection) is, in each case, one of
20471, 20472, or 21472.
In each case, it is the *same* IP address at my end that is being
targetted.
I find evidence of stray attempts going back at least as far as
September 3rd 2001. I do not, though, see any appreciable number
of probes until Oct 21, 2001. After a series of probes in October,
there was a gap of a couple of weeks before it picks up again
in November. I haven't been probed every day since then, but the rate
has gone up substantially in the last week.
A few entries on roughly September 8th show RST ACK flags on
the incoming packets (but no outgoing packets to that address); other
than that, all the entries show no particular flags -- i.e., the
firewall believes them to be normal TCP connection attempts.
Would anyone have any ideas as to what this traffic might be?
- Next message: Martin Bishop: "Re: What are the disadvantages of Pgp ???"
- Previous message: Walter Roberson: "comp.security.misc mass cancel?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
