Odd activity

["Kelly Martin" <kellym () fb org>]

I've been getting a good amount of rather odd traffic for the past six hours
or so.  203.208.171.210 (registered to a company in Singapore) has been
lobbing TCP to apparently random ports and hosts on my network.  I can't
detect a pattern.  The rate is pretty low, too: one packet every couple of
minutes or so.  A sample log extract is appended.

Is this backscatter from someone else scanning using some of my IP addresses
for spoofing, or some sort of network mapping technique I haven't heard of
yet?

Also, someone at Earthlink (in the office, it looks like; 207.217.94.249),
swept UDP from port 33476 to 33523 to an IP on our network that is not
currently being used (and in fact has not been used in a very long time),
one packet per five seconds, ascending port numbers, no repetitions.  Is
this traceroute?

Kelly

Mar 30 12:19:03 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1196 dst inside:x.x.60.72/1045
Mar 30 12:19:04 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1252 dst inside:x.x.60.84/1267
Mar 30 12:19:32 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1138 dst inside:x.x.60.76/1156
Mar 30 12:23:12 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1167 dst inside:x.x.60.157/1278
Mar 30 12:25:18 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1192 dst inside:x.x.60.247/1154
Mar 30 12:30:43 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1094 dst inside:x.x.60.209/1206
Mar 30 12:33:07 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1269 dst inside:x.x.60.125/1091
Mar 30 12:34:13 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1027 dst inside:x.x.60.156/1166
Mar 30 12:36:37 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1054 dst inside:x.x.60.195/1264
Mar 30 12:37:46 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1135 dst inside:x.x.60.212/1097
Mar 30 12:37:51 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1104 dst inside:x.x.60.240/1121
Mar 30 12:40:57 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1266 dst inside:x.x.60.36/1270
Mar 30 12:52:04 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1067 dst inside:x.x.60.195/1128
Mar 30 13:03:51 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1254 dst inside:x.x.60.106/1153
Mar 30 13:04:00 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1125 dst inside:x.x.60.99/1194
Mar 30 13:10:25 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1175 dst inside:x.x.60.129/1268
Mar 30 13:10:35 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1062 dst inside:x.x.60.186/1247
Mar 30 13:10:49 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1183 dst inside:x.x.60.70/1027
Mar 30 13:10:58 - %PIX-3-106010: Deny inbound tcp src
outside:203.208.171.210/1082 dst inside:x.x.60.52/1141


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com