Re: Scans from reserved addresses??

[bryan () VISI COM (Bryan Andersen)]

Ralf Günthner wrote:
> I see a lot of connection attempts on port 51962 from addresses like these:
> 68.128.1.2
> 74.128.1.1
> 69.144.1.22
> .....
>
> All addresses are "reserved-7" according to ARIN. Any ideas, what's going on here?
> I thought at first it's an nmap scan with the decoy option enabled...

The fact that they are reserved leads me to belive that someone might
have compromised a router or firewall between you and the backbone.
A compromised router can be set to divert any netblock to any link.
This allows one to be virtually untraceable from the scanned end.
The only way to find the source is to setup packet logging on each
link looking for the offending packets if they are still being
transmitted.  Being reserved there is no one to complain to, and it
becaomes a time consuming tracking matter to locate where they are
comming from.

It could also just be spoofed return addresses.

Can you log the packet contents so we can see what is being tried?

Is there a two way communication, or are these just the initial
opening packets?

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |