Re: port 27015

[Paul Robertson <proberts () patriot net>]

On Fri, 2 Jan 2004, hermit921 wrote:

> I am aware of the Half-Life game association.  What I saw was 10 different

AFAICT, Half-Life is on UDP 27015- anyone with a server that can check?

> IP sources scanning my entire class B on port 27015, all starting within
> one hour of each other.  That didn't sound like a normal game
> behavior.  But after that day, the scans didn't return.

Well, there are a few possible explainations:

1.  Someone scanning for game servers.
    A) Census type thing.
    B) New sploit to play with.
    C) Bad software.

2.  Someone scanning for zombies.

3.  Someone fingerprinting the network.

Do you have any packets, or just log entries?  Was there any other pattern
to the traffic (source ports, etc?)  Were the source addresses related in
any way?  Was it one packet per IP, or multiple, and if multiple, same or
different sorce port?  Any particular sequence number or flags on?

I generally tend to try to contact one of the source networks if I can
find one that looks like it's relatively responsive- doesn't pay off
often, but when it does, it normally does well.

Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards