Security Incidents mailing list archives
Strange Happenings @Home
From: fhirsch () TSE COM (Fred Hirsch)
Date: Tue, 30 May 2000 10:28:33 -0400
I run a Linux IP-masqueraded firewall for a small home network from within the @Home domain. This same system hosts my small consulting web site as well. I recently moved from one @Home provider (Shaw-Canada) to another (Rogers-Canada). Once I got my firewall system up and running, I was receiving hundreds of denyable packets. Within 4 days, my firewall logs were 90MB. While I know that networking is not my forte, I do know how to read the packet logs, and I was lead to believe that someone is either running some badly implemented or configured software or that something harmful was actually originating from within the subnet.
From what I can tell, many of these denied packets are on ports 67 and 68,
which according to my /etc/services is bootp. Is there a reason why someone would run a bootp server on an @Home network? Additionally, I receive a number of high level port hits from many anonymous IP's. Do game servers such as Quake browse around through subnets looking for replies? Because this seems to be the activity I am seeing. I do not see any typical ports for BO or other Windows based subversions. Many of the IP's floating in my logs are not in the @Home subnet which I belong to. I also see alot of local network IP's like 192.168.x.x trying to hit the firewall as well. Could this be a badly configured system somewhere else on my subnet, or is it possible that something more nefarious is going on. I can probably put up a sample of some of the log entries as well. Thanks for
Current thread:
- Microsoft version.binding us now?, (continued)
- Microsoft version.binding us now? Bill Marquette (May 26)
- New DoS attack Jeff Calvert (May 28)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- Microsoft version.binding us now? Bill Marquette (May 26)