NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-07

Subject: Re: Sudden increase in scans.
From: Berend De Schouwer (bdsJHB.UCS.CO.ZA)
Date: Sun Jul 23 2000 - 10:52:47 CDT

Next message: Kurt Weiske: "low numbers connects to DNS?"
Previous message: Ryan Yagatich: "Re: msnhome.talkcity.com"
In reply to: Jason Lewis: "Re: Sudden increase in scans."
Next in thread: Alexander Schreiber: "Re: Sudden increase in scans."
Next in thread: Aaron Kelley: "Re: Sudden increase in scans."
Reply: Berend De Schouwer: "Re: Sudden increase in scans."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 22 Jul 2000 07:11:46 Jason Lewis wrote:
> I don't know why this made me think of it but.....
>
> I haven't had ANY scans, since I disabled pinging internal machines from
> my router. ZERO! I used to get loads of scans ALL the time. They have
> stopped completely. To test my theory, I am going to re-enable ping to
> public server and see what happens.
>
> What does everyone think of disabling ICMP at the router?

Blocking some ICMP is bad. For example, don't block
"IP fragmentation needed", since you'll never know if you are going
across a line of different MRU/MTU size, and you won't connect.

Read http://www.worldgate.com/~marcs/mtu/

> Jas
> http://www.jasonlewis.net
>
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTSSECURITYFOCUS.COM]On
> Behalf Of Rune Kristian Viken
> Sent: Thursday, July 20, 2000 5:08 AM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: Sudden increase in scans.
>
>
> There has suddenly been an enourmous increase of scans aimed at my
> network. It
> started 14 / 07 has been increasing ever since.
>
> It started out with a single 'socks' scan the 14'th. Then socks(again)
> and
> sunrpc the 15th, ftp and dns the 16th.. then it exploded
>
> The 17th, we had the following scans:
>
> 2. scans of port 1243 with 11 mins in between
> 1. scan of port 20034
> 30(!). scans of port 5500 , starting out at 17:30 (local time) and
> proceding
> with intervals from 5 mins to 30 minutes throuhgout the day
>
> 18th:
>
> 47. scans of port 5500 from 00:00 to 11:12 (!!)
> 1. scan of 400
>
> 19:
> 3. scans of port 5500, not at a specific time
> 2. scans of port 2835 (within 10 seconds)
>
>
> --
> "Rune Kristian Viken" <runetrans4media.com>
> <http://arcade.kvinesdal.com>
> System, Network & Security Administrator. Phone: (+47) 92 85 34 38

--
Kind regards,				
Berend
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Berend De Schouwer, +27-11-712-1435, UCS

Next message: Kurt Weiske: "low numbers connects to DNS?"
Previous message: Ryan Yagatich: "Re: msnhome.talkcity.com"
In reply to: Jason Lewis: "Re: Sudden increase in scans."
Next in thread: Alexander Schreiber: "Re: Sudden increase in scans."
Next in thread: Aaron Kelley: "Re: Sudden increase in scans."
Reply: Berend De Schouwer: "Re: Sudden increase in scans."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]