Security Incidents mailing list archives
Re: scans on ports 3072 and 1024, why?
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Fri, 29 Dec 2000 10:27:37 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I contacted a dalnet admin earlier this week in response to probes such as this, and I got the following response (may provide some insight). My machine was simply dropping the packets, therefore not responding as he outlines below (for the record ;)).
Date: Wed, 27 Dec 2000 11:31:49 -0500 (EST) From: Karthik Arumugham <karthik () karthik com> To: Ryan W. Maple <ryan () guardiandigital com> Cc: driz () dal net Subject: Re: Connections to random machines from 199.173.178.1 Hi Ryan, It seems your network is being unwittingly used to relay an attack to us; all of the DALnet IRC network has been under very heavy assault for the last few weeks. Some people are sending traffic to random sites (e.g. you) such that you reply and flood our server, in a way that makes it quite difficult to trace.
There's really not much we can do about this other than hope they go away. - Karthik
Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW Guardian Digital, Inc. ryan () guardiandigital com +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ On Thu, 28 Dec 2000, Sean Brown wrote:
I've been seeing similar traffic on my site. Source ports are always 6667. Source host is dalnet.away.net. Destination hosts appear random throughout my net. Destination ports also appear to be random and never the same port twice. These are single TCP RST packets arriving at random intervals. I began seeing the traffic last week. I can supply a packet capture if anyone is interested. Conor McGrath wrote:We've been seeing lots of scans of ip's in our address space with the destination ports of 1024 and 3072. They are always paired like that, although they don't hit the same ip on both ports, as far as I can tell. The source ports are most often typical irc server ports (6667 and 6668) but sometimes they sourced from ports 80 and 7325.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6TK1uIwAIA9MpKWcRAg8uAJ4xeaJpMdekFCJjdIIGWZKIIK6HiACfYSUn fc9I5DXkZb6kZpe6d1sw1Mg= =bSFT -----END PGP SIGNATURE-----
Current thread:
- scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
- Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
- Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
- Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)