I've seen lots of scans from addresses under 38.0.0.0 net. To the
extent that
I log all packets from them.
My guess is they are trying to probe behind the firewall. Are these
source
routed packets?
James Smith wrote:
>
> Are you sure these are not from "double Click" servers? See
> www.doubleclick.net <http://www.doubleclick.net> - a really irritating new
> 'push' web advertising service that confuses my NAT firewall, no harm in NOT
> letting them through though - no harm to me that is..
>
> James Smith
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 09 May 1999 15:15
> To: [EMAIL PROTECTED]
> Subject: RE: Subject: Odd TCP Probe w/ 192.168.1.* IP
>
> Interesting. Lately I see a lot of scans coming from a
> network range
> and going to port 80, but sofar I haven't seen scans coming
> from a
> a private IP address.
>
> Anyone got ideas on what the scanners are looking for on
> port 80?
> Is this something similar like 'Firewalking' on port 53?
>
> Cheers,
>
>
> //--------------------------------------------------------------------------
> --
> //Ellen.
> [EMAIL PROTECTED]
>
> Date: Thu, 06 May 1999 23:19:49 -0700
> From: Joshua Chamas <[EMAIL PROTECTED]>
> Subject: Odd TCP Probe w/ 192.168.1.* IP
>
> Hey,
>
> One of my machines just got probed by a set of IPs
> during the same _TCP_ probe, one of which is an illegal
> 192.168.1.*
>
> My understanding was that 192.168.1.* addresses wouldn't
> be routable, and that having the probe alternate IPs
> also concerns me.
>
> So I wonder what kind of danger there might be here.
> Could this be some kind of "stealth" probe. What good
> would it do a scanner to alternate IP's ? Is the
> 192.168.1.* some sort of primer?
>
> Someone please enlighten me as this challenges my knowledge
> of IP networking.
>
> Thanks,
>
> Joshua
>
> (2) May 6 20:04:20 bastion ipmon[87]: 20:04:20.104592 iprb
> @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.065728 iprb
> @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.171150 iprb
> @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.173108 iprb
> @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 114
> -AP
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.298487 iprb
> @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May 6 20:04:31 bastion ipmon[87]: 20:04:30.479423 iprb
> @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:04:40 bastion ipmon[87]: 20:04:40.094519 iprb
> @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:04:59 bastion ipmon[87]: 20:04:59.323681 iprb
> @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:05:38 bastion ipmon[87]: 20:05:37.782541 iprb
> @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
| Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
