Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: Aaron Schultz <aaron () POWERTRIP NET>
Date: Thu, 28 Dec 2000 17:06:26 -0800
If I may be so bold as to request that anyone with information about DALnet related attacks and incidents include me in their correspondence and forward any logs. Thank you all in advance for your assistance. Quick background on what's been happening: Starting around December 5th, DALnet has been hit with large attacks. These attacks have been able to take some large ISPs completely offline (ie: multiple T3 connections, etc). I'd like to start working with any of you who have logs like the ones reported. The logs I'm interested in are from December which indicate connections to multiple DALnet addresses. Theory on what some of you may be seeing: To produce attacks of the size we've seen, it would take a lot of compromised hosts. Some of the hosts you may see in your logs attempting to connect to IRC servers in sequence may indicate a compromised host. My association with DALnet can be verified though: - whois dal.net - note DNS servers - whois powertrip.net - note my contact info (AS508) ..or e-mail dalvenjah () dal net directly if you feel more comfortable. Thanks again. - Aaron Schultz - aaron () powertrip net ------ On Thu, 28 Dec 2000, Conor McGrath wrote:
Bill_Royds () pch gc ca once said:We have been getting the same traffic hitting our firewall. More interestingly it is being sent to non-existent hosts behind our firewall which could never have sent the original packets and we do not allow IRC out anyway. It could be replies to spoofed packets or a way of probing for servers. Here are some firewall logs (sanitized as to our address) showing this: logfile.20001224:Dec 24 16:15:58.327 gate kernel: 232 Sending ICMP host (prohibited) unreachable. Original packet (dalnet.away.net[199.173.178.1]->server.seg.ip.83: Protocol=TCP[SYN ACK] Port[snip most of the logs]There are many more like this.I don't suppose you managed to capture any of those packets, did you? Due to privacy concerns, I am not allowed to capture packets as they come in over our gateway. Of course, I can capture anything that comes directly to my machine, but they haven't hit me directly since before my awareness was raised. I'd be suspicious but we do have an entire Class B network and I only have a few machines for which I'm personally responsible, and if these are scans, they are fairly slow (never any more than two hundred an hour per host). I've seen people do ftp scans of 35k+ on us in an hour. We tend to notice those right away :-) -- Conor McGrath Phone: (773)702-7611 Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)