Re: 27015 probe increase??

[bhc2 () cornell edu]

On Tue, 10 Jul 2001, cg wrote:
> I've seen increased activity on port 27015. In the last half hour I've
> gotten the following probes. I'm just a lowley dsl user, not even pingable
> from outside.
> Rule "gather" blocked (xx.xxx.xxx.xx,27015).  Details:

Port 27015 is the port used for the game "Half-Life," a First Person 
Shooter. I doubt you have much to worry about, from the fact that this 
was a two minute log and judging by the number of hits I would havt to 
guess that your IP (possibly it is assigned using DHCP?) was listed 
either online at a webpage or one one of the half life servers as hosting 
a game. Thus users would insruct their machines to connect to yours, in 
order to play.

The IPs I regonize from the states all appear to be of Cable/DSL origin:
> Remote address,service is (24.24.150.52,2756)
> we-24-24-150-52.we.mediaone.net
> Remote address,service is (24.250.96.93,22952
> ci170011-a.athen1.ga.home.com
> Remote address,service is (65.81.53.244,22952)
> adsl-81-53-244.asm.bellsouth.net
The gaming community is well known as early adopter of Broadband in the 
pursuit of lower PING times to the server. 
If in fact your IP is assigned dynamically (DHCP, etc.) then this sounds 
very familiar to the port 6346 DOS reported last week; 6346 is actually 
the port used for the GNutella network; where a user with this IP 
previously had started and "announced"/broadcast services which you do 
not support. I hope this calms your fears slightly. It is always good to 
be diligent about security.

-B


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com