Security Incidents mailing list archives
Re: Scans from reserved addresses??
From: bryan () VISI COM (Bryan Andersen)
Date: Thu, 11 May 2000 03:16:07 -0500
Ralf Günthner wrote:
I see a lot of connection attempts on port 51962 from addresses like these: 68.128.1.2 74.128.1.1 69.144.1.22 ..... All addresses are "reserved-7" according to ARIN. Any ideas, what's going on here? I thought at first it's an nmap scan with the decoy option enabled...
The fact that they are reserved leads me to belive that someone might have compromised a router or firewall between you and the backbone. A compromised router can be set to divert any netblock to any link. This allows one to be virtually untraceable from the scanned end. The only way to find the source is to setup packet logging on each link looking for the offending packets if they are still being transmitted. Being reserved there is no one to complain to, and it becaomes a time consuming tracking matter to locate where they are comming from. It could also just be spoofed return addresses. Can you log the packet contents so we can see what is being tried? Is there a two way communication, or are these just the initial opening packets? -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- Scans from reserved addresses?? Ralf Günthner (May 10)
- Scans dedicated to DNS servers. jacques (Feb 13)
- Re: Scans from reserved addresses?? Bryan Andersen (May 11)