Re: Sudden increase in scans.

[jlewis () JASONLEWIS NET (Jason Lewis)]

I don't know why this made me think of it but.....

I haven't had ANY scans, since I disabled pinging internal machines from
my router.  ZERO!  I used to get loads of scans ALL the time.  They have
stopped completely.  To test my theory, I am going to re-enable ping to
public server and see what happens.

What does everyone think of disabling ICMP at the router?

Jas
http://www.jasonlewis.net

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Rune Kristian Viken
Sent: Thursday, July 20, 2000 5:08 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Sudden increase in scans.

There has suddenly been an enourmous increase of scans aimed at my
network.  It
started 14 / 07 has been increasing ever since.

It started out with a single 'socks' scan the 14'th.  Then socks(again)
and
sunrpc the 15th, ftp and dns the 16th.. then it exploded

The 17th, we had the following scans:

2. scans of port 1243 with 11 mins in between
1. scan of port 20034
30(!). scans of port 5500 , starting out at 17:30 (local time) and
proceding
with intervals from 5 mins to 30 minutes throuhgout the day

18th:

47. scans of port 5500 from 00:00 to 11:12 (!!)
1. scan of 400

19:
3. scans of port 5500, not at a specific time
2. scans of port 2835 (within 10 seconds)


--
"Rune Kristian Viken" <rune () trans4media com>
<http://arcade.kvinesdal.com>
System, Network & Security Administrator.  Phone: (+47) 92 85 34 38