Re: ics.org rejected packets

[Attonbitus Deus <Thor () HAMMEROFGOD COM>]

The ics.org guys are already on it to see what is happening here.
Impressive, actually- this is the first time i have received a response from
anyone when I request information on IP activity.

Something is definitely going on around here though... Yesterday, I had over
8 hours of (mostly TCP 38774-38778) destination traffic rejected by my
firewall from a UK ip (194.238.189.*) resulting in over 20,000 log entries.
AD


----- Original Message -----
From: "Jeff" <jeff () TCNET ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, December 30, 2000 1:43 PM
Subject: Re: ics.org rejected packets


> On Sat, 30 Dec 2000, Attonbitus Deus wrote:
>
> > I've got about 20 minutes worth of rejected packets in my log from
ics.org
> > (12.40.53.18).
> > All against 51700-51705.
>
> Greetings-
>
> I'll assume you speak of a tcp and/or udp port range here.
>
> ICQ-related. I know of nothing that links ics.org with ICQ/AOL, so it is
> likely someone using ICQ to communicate with someone using ICQ on your
> network. ICQ clients try to communicate peer-to-peer via UDP, TCP for file
> transfers and later versions of the protocol. Failing that, they resort to
> using ICQ servers as a middleman.
>
> Innocent causes aside, someone could be trying to probe your network to
> determine if you have opened these ports for forwarding into the internal
> network/past the screening routers to allow internal clients to use ICQ.
>
> I don't recall the state of common ICQ clients in terms of known exploits
> -- other than those purely social in nature.
>
> Further investigation at your discretion.
>
> -jeff
>
> --
> Jeff Godin
> Network Specialist
> Traverse Area District Library / Traverse Community Network
> jeff () tcnet org