Firewall Wizards mailing list archives
Re: Port scans to UDP 161 (SNMP)
From: Mark (Mookie) <mark () zang com>
Date: Fri, 22 May 1998 05:22:33 -0700 (PDT)
Has anyone seen this before? I have been getting UDP (161/SNMP) port scans across my 205.247.224/24 (from .255 to .[012]?) repeatedly from certain IP #s. The most recent events happened 6 times over the past 5 days (all from the same IP). The user of that IP has a laptop w/
Yeah, same here, almost like the IMAP scans one sees. To machines they have no business looking at either. I think they are possibly looking for SNMP information describing the host in question, be it unix, a router or other device. I held off raising an incident report about this with an ISP earlier today, simply because it was a once off and I couldn't see any other activity from that IP. If it was more than one packet I'd have instituted greater counter measures against the host involved. You however sound as if you have either an attacker or an progam being tested by someone. Do you go with the simple explanation or the insidious approach? :) Good luck, Mark
Current thread:
- Port scans to UDP 161 (SNMP) Max Euston (May 21)
- Re: Port scans to UDP 161 (SNMP) M. Dodge Mumford (May 22)
- Log analysis tools Technical Incursion Countermeasures (May 22)
- Re: Port scans to UDP 161 (SNMP) Mookie (May 22)
- Re: Port scans to UDP 161 (SNMP) Michael (May 22)
- <Possible follow-ups>
- Re: Port scans to UDP 161 (SNMP) Steve Bellovin (May 22)
- Re: Port scans to UDP 161 (SNMP) H. Morrow Long (May 22)
- RE: Port scans to UDP 161 (SNMP) Max Euston (May 28)