Educause Security Discussion mailing list archives

Previous Thread on Increased Probes

From: Lois Lehman <LOIS.LEHMAN () ASU EDU>
Date: Fri, 23 Jul 2004 07:40:03 -0700

Sorry to bring this up again but a colleague at another university has
asked me if anyone has seen a recent flood of attacks on their address
space similar to what he experienced a couple of weeks ago.  I remember
there was some talk, maybe on this list, about seeing incoming packets
from many sources with numbers near a thousand.  But in cleaning out my
Inbox after a vacation, I must have deleted that information.

Here is a sample of some of the traffic from one source found in his
logs:

Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets


Is this what others were seeing, an attack on port 23?  Has anyone
determined the purpose of this flood?

Thanks!

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Previous Thread on Increased Probes Lois Lehman (Jul 23)
- <Possible follow-ups>
- Re: Previous Thread on Increased Probes Robin Jacobsen (Jul 23)