|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Port 33434 and decoy-scanning
From: Daniel S. Riley (dsr
MAIL.LNS.CORNELL.EDU)Date: Wed Mar 08 2000 - 15:30:44 CST
- Next message: Joel Michael: "Re: Mail Server attack"
- Previous message: Jon Lewis: "Re: lots of interest in port 109 (POP2)"
- Next in thread: Pete Clements: "Re: Port 33434 and decoy-scanning"
- Maybe reply: Daniel S. Riley: "Re: Port 33434 and decoy-scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jan Roger Wilkens <jrwsystem.sikkerhet.no> writes:
> Lately I have seen traffic towards port 33434 UDP on various networks.
> Normal traceroute starts with port 33434, but the destination-port is
> supposed to increase with each new packet. The traffic I've seen lately uses
> port 33434 as destionation-port for all packets.
We've been seeing similar traffic from a lot of the same hosts:
167.8.29.52 167.8.29.91 167.8.29.92 206.251.19.80 206.251.19.88
206.251.19.89 208.178.110.6 209.67.29.10 209.67.29.8 209.67.29.9
209.67.78.200 209.67.78.202 209.67.78.203 216.32.68.10 216.32.68.11
216.32.68.13 216.33.87.10 216.33.87.8 216.33.87.9
Since all of it is directed towards our forwarding name servers, I've
been assuming it's just another "bigip"[1] like scheme for discovering
the closest server to a host.
-- Dan Riley dsr
- Next message: Joel Michael: "Re: Mail Server attack"
- Previous message: Jon Lewis: "Re: lots of interest in port 109 (POP2)"
- Next in thread: Pete Clements: "Re: Port 33434 and decoy-scanning"
- Maybe reply: Daniel S. Riley: "Re: Port 33434 and decoy-scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]