Firewall Wizards mailing list archives
Re: repetitive port scanning, why?
From: "Michael H. Warfield" <mhw () wittsend com>
Date: Thu, 5 Aug 1999 10:53:19 -0400 (EDT)
Fred Kreitzberg enscribed thusly:
Our web store underwent a heavy port scan yesterday. It was unusual in both the number of scans, the port scanning pattern and the fact they scanned each port 6 times. They were fast too, 8600 scans in less then 2 minutes. Is this a new product/technique?
If I were to take a WAG (Wild *** Guess) at this, I would guess that you have your firewall set to "deny" these connections as in "drop the packets on the floor and ignore them". If that's the case, then I don't think you are seeing each port "scanned" 6 times, I think you are seeing the SYN packets being retried by the tcp stack at the other end. Any decent port scanner could crank up 1400 connections in 2 minutes (assuming the "6 scans" were really 1 connection attempt including retries so 8600 / 6 is about 1433 connection attempts). That's only about 12 connection attempts per second. That's not even breathing hard. Somebody did a connected TCP port scan against you. I don't see anything unusual there.
Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2301 to 206.81.220.22 2011 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2302 to 206.81.220.22 655 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2303 to 206.81.220.22 273 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2304 to 206.81.220.22 4144 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2305 to 206.81.220.22 1480 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2306 to 206.81.220.22 747 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2307 to 206.81.220.22 36 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2308 to 206.81.220.22 316 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2309 to 206.81.220.22 600 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2310 to 206.81.220.22 159 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2311 to 206.81.220.22 530 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2312 to 206.81.220.22 2011 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2313 to 206.81.220.22 655 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2314 to 206.81.220.22 273 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2315 to 206.81.220.22 4144 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2316 to 206.81.220.22 1480 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2317 to 206.81.220.22 747 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2318 to 206.81.220.22 36 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2319 to 206.81.220.22 316 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2320 to 206.81.220.22 600 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2321 to 206.81.220.22 159 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2322 to 206.81.220.22 530 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2323 to 206.81.220.22 2011 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2324 to 206.81.220.22 655 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2325 to 206.81.220.22 273 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2326 to 206.81.220.22 4144 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2327 to 206.81.220.22 1480 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2328 to 206.81.220.22 747 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2329 to 206.81.220.22 36 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2330 to 206.81.220.22 316 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2331 to 206.81.220.22 600 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2332 to 206.81.220.22 159 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2333 to 206.81.220.22 530 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2334 to 206.81.220.22 10005 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2335 to 206.81.220.22 201 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2336 to 206.81.220.22 2032 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2337 to 206.81.220.22 832 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2338 to 206.81.220.22 2004 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2339 to 206.81.220.22 504 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2340 to 206.81.220.22 1381 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2341 to 206.81.220.22 1448 flags SYN Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2342 to 206.81.220.22 355 flags SYN Fredrick W. Kreitzberg...............................................Data Security Recreational Equipment Inc. (REI)........................email:fkreitz () rei com Box 1938.....................................................phone: 253.395.5881 Sumner, WA 98390-0800.....................................FAX: 253.395.4720 "Quality Outdoor Gear and Clothing Since 1938"..........http://www.rei.com
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- repetitive port scanning, why? Fred Kreitzberg (Aug 04)
- Re: repetitive port scanning, why? Siglite (Aug 05)
- Re: repetitive port scanning, why? Michael H. Warfield (Aug 06)
- <Possible follow-ups>
- Re: repetitive port scanning, why? Robert Graham (Aug 06)