RE: Increase in TCP 6129 (Dameware) scans?

[Kevin Patz <jambo_cat () yahoo com>]

--- Michael Wright <mcwright () dbls com> wrote:
> I'm seeing similar scans on multiple firewalls.
>
> Interesting findings:
>
> 1.  Port 220 seems to be a popular source port for
> the scans.

I noticed the same thing after posting my original
inquiry.

> 2.  It's a slow scan (presumably due to a single
> source port and TCP
> utilization rather than UDP)

Makes sense.  Another thing I noticed, since my
firewall drops unauthorized SYN packets, the
source-220 scans only make one attempt, rather than
the 2 or 3 tries that most applications requesting TCP
connections make (including scans I've seen to 6129
with ephemeral source ports).

Also, with the single source port, I bet these scans
are just sniffing for machines that are listening on
the port, rather than attempting to establish a
connection--a TCP war-dialer of sorts.  Tonight I'll
set up a listener on the port to see how the scanners
respond to an open port.

> I'm currently seeing roughly 1800+ attempts per day,
> per firewall.  

I have a single IP (cable modem) so I typically only
see one (or maybe two) scans per source IP.  Today's
count is 37 so far.  I had 50 yesterday.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

---------------------------------------------------------------------------
----------------------------------------------------------------------------