Firewall Wizards mailing list archives
Re: port 27015
From: Paul Robertson <proberts () patriot net>
Date: Sat, 3 Jan 2004 17:57:06 -0500 (EST)
On Fri, 2 Jan 2004, hermit921 wrote:
I am aware of the Half-Life game association. What I saw was 10 different
AFAICT, Half-Life is on UDP 27015- anyone with a server that can check?
IP sources scanning my entire class B on port 27015, all starting within one hour of each other. That didn't sound like a normal game behavior. But after that day, the scans didn't return.
Well, there are a few possible explainations: 1. Someone scanning for game servers. A) Census type thing. B) New sploit to play with. C) Bad software. 2. Someone scanning for zombies. 3. Someone fingerprinting the network. Do you have any packets, or just log entries? Was there any other pattern to the traffic (source ports, etc?) Were the source addresses related in any way? Was it one packet per IP, or multiple, and if multiple, same or different sorce port? Any particular sequence number or flags on? I generally tend to try to contact one of the source networks if I can find one that looks like it's relatively responsive- doesn't pay off often, but when it does, it normally does well. Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- port 27015 hermit921 (Jan 01)
- RE: port 27015 steve (Jan 01)
- <Possible follow-ups>
- Re: port 27015 Don Parker (Jan 03)
- Re: port 27015 hermit921 (Jan 03)
- RE: port 27015 Bill James (Jan 03)
- Re: port 27015 Paul Robertson (Jan 03)
- Re: port 27015 hermit921 (Jan 03)
- Re: port 27015 Don Parker (Jan 03)