Are you sure these are not from "double Click" servers? See
www.doubleclick.net <http://www.doubleclick.net> - a really irritating new
'push' web advertising service that confuses my NAT firewall, no harm in NOT
letting them through though - no harm to me that is..
James Smith
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 09 May 1999 15:15
To: [EMAIL PROTECTED]
Subject: RE: Subject: Odd TCP Probe w/ 192.168.1.* IP
Interesting. Lately I see a lot of scans coming from a
network range
and going to port 80, but sofar I haven't seen scans coming
from a
a private IP address.
Anyone got ideas on what the scanners are looking for on
port 80?
Is this something similar like 'Firewalking' on port 53?
Cheers,
//--------------------------------------------------------------------------
--
//Ellen.
[EMAIL PROTECTED]
Date: Thu, 06 May 1999 23:19:49 -0700
From: Joshua Chamas <[EMAIL PROTECTED]>
Subject: Odd TCP Probe w/ 192.168.1.* IP
Hey,
One of my machines just got probed by a set of IPs
during the same _TCP_ probe, one of which is an illegal
192.168.1.*
My understanding was that 192.168.1.* addresses wouldn't
be routable, and that having the probe alternate IPs
also concerns me.
So I wonder what kind of danger there might be here.
Could this be some kind of "stealth" probe. What good
would it do a scanner to alternate IP's ? Is the
192.168.1.* some sort of primer?
Someone please enlighten me as this challenges my knowledge
of IP networking.
Thanks,
Joshua
(2) May 6 20:04:20 bastion ipmon[87]: 20:04:20.104592 iprb
@0:3 p
192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
(1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.065728 iprb
@0:3 p
38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
(1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.171150 iprb
@0:3 p
38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
(1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.173108 iprb
@0:3 p
38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 114
-AP
(1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.298487 iprb
@0:3 p
38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
(1) May 6 20:04:31 bastion ipmon[87]: 20:04:30.479423 iprb
@0:3 p
192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
(1) May 6 20:04:40 bastion ipmon[87]: 20:04:40.094519 iprb
@0:3 p
192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
(1) May 6 20:04:59 bastion ipmon[87]: 20:04:59.323681 iprb
@0:3 p
192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
(1) May 6 20:05:38 bastion ipmon[87]: 20:05:37.782541 iprb
@0:3 p
192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
