Re: Probe from UK Provider ?

[downlink () WITTYS COM (Jason Witty)]

I have also seen an extremely large number of probes from demon.co.uk,
demon.net, and several of the smaller U.K. ISPs which use them as their
backbone.  So far, there's been lots of Queso scanning, a few instances of
CGI scanning, and TONS of UDP Bombs.  I also got the "we had a router which
was mangling packets" excuse when talking with their abuse department!
Unbelievable.......

At 11:31 AM 1/20/00 +1100, you wrote:
> > Today some guy over here downloaded something from ftp.fishnet.co.uk , and
> > we started to get these entries in our firewall:
> >
> > Jan 18 15:48:36 gw kernel: Packet log: input REJECT eth0 PROTO=6
> > 194.159.150.13: 1161 <my_ip_addr>:80 L=562 S=0x00 I=58886 F=0x4000 T=109
>
> i see similar problems with most sites hosted by demon.co.uk.
> we send a http/smtp request to a site hosted somewhere in their network
> & we see traffic like:
>
> tcp 212.240.52.130(2154) -> fw_ip(80)
> tcp 194.217.242.92(1569) -> fw_ip(80)
> tcp 194.217.242.92(2754) -> fw_ip(80)
> tcp 194.217.242.92(48129) -> fw_ip(48129)
> tcp 194.217.242.41(57777) -> fw_ip(80)
> tcp 194.217.242.41(1952) -> fw_ip(80)
> tcp 194.217.242.41(769) -> fw_ip(46939)
> tcp 194.217.242.41(1633) -> fw_ip(80)
> tcp 194.217.242.41(1777) -> fw_ip(80)
> tcp 194.217.242.41(3572) -> fw_ip(80)
> tcp 194.217.242.41(1067) -> fw_ip(80)
> tcp 194.217.242.41(1247) -> fw_ip(80)
> tcp 194.217.242.41(51550) -> fw_ip(80)
> tcp 194.217.242.41(1083) -> fw_ip(80)
> tcp 194.217.242.41(1093) -> fw_ip(80)
> tcp 194.217.242.41(3146) -> fw_ip(21)
>
> i sent an email to abuse () demon co uk last year in october with little
> success. they mumbled something about problems with hardware
> mangling packets. sigh...
> the fw in question doesn't listen in on port 80 or 21.
> i'd be curious to know if other sites see similar problems.
> we're just blocking the traffic & putting up with the noise
> in the logs for now.
>
> cheers,
> pauline