Re: Sudden increase in scans.

[Berend De Schouwer <bds () jhb ucs co za>]

On Sat, 22 Jul 2000 07:11:46 Jason Lewis wrote:
> I don't know why this made me think of it but.....
>
> I haven't had ANY scans, since I disabled pinging internal machines from
> my router.  ZERO!  I used to get loads of scans ALL the time.  They have
> stopped completely.  To test my theory, I am going to re-enable ping to
> public server and see what happens.
>
> What does everyone think of disabling ICMP at the router?

Blocking some ICMP is bad.  For example, don't block
"IP fragmentation needed", since you'll never know if you are going
across a line of different MRU/MTU size, and you won't connect.

Read http://www.worldgate.com/~marcs/mtu/

> Jas
> http://www.jasonlewis.net
>
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Rune Kristian Viken
> Sent: Thursday, July 20, 2000 5:08 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Sudden increase in scans.
>
>
> There has suddenly been an enourmous increase of scans aimed at my
> network.  It
> started 14 / 07 has been increasing ever since.
>
> It started out with a single 'socks' scan the 14'th.  Then socks(again)
> and
> sunrpc the 15th, ftp and dns the 16th.. then it exploded
>
> The 17th, we had the following scans:
>
> 2. scans of port 1243 with 11 mins in between
> 1. scan of port 20034
> 30(!). scans of port 5500 , starting out at 17:30 (local time) and
> proceding
> with intervals from 5 mins to 30 minutes throuhgout the day
>
> 18th:
>
> 47. scans of port 5500 from 00:00 to 11:12 (!!)
> 1. scan of 400
>
> 19:
> 3. scans of port 5500, not at a specific time
> 2. scans of port 2835 (within 10 seconds)
>
>
> --
> "Rune Kristian Viken" <rune () trans4media com>
> <http://arcade.kvinesdal.com>
> System, Network & Security Administrator.  Phone: (+47) 92 85 34 38

--
Kind regards,                           
Berend

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS