Re: Interesting traffic to tcp port 7

Thu, 17 Jun 1999 00:34:49 -0700 

I think the same. Those packets are using spoofing!

You must wacth your Port 7.

Javier regards.

Roger Marquis wrote:

> We recently began seeing an interesting pattern of tcp packets, from 6
> unique IPs, none with reverse dns, 5 or 6 packets per src IP to a single
> destination IP, port 7 (echo).  These packets are all logged within a few
> seconds of each other which leads me to suspect that most of them could be
> spoofed.  The "source" IPs are:
>
>  199.95.207.91  DOUBLECLICK.NET
>  199.95.208.85  DOUBLECLICK.NET
>  207.239.35.71  @PLAN (webplan.net)
>  208.32.211.71  DOUBLECLICK.NET
>  209.67.38.49   EXODUS.NET (no reverse dns in subnet)
>  209.67.38.50   EXODUS.NET (no reverse dns in subnet)
>
> Anyone else seen this traffic pattern?
>
> >Jun  4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>207.239.35.71:64314
> >Jun  4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>208.32.211.71:44619
> >Jun  4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>199.95.208.85:45641
> >Jun  4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>199.95.207.91:40861
> >Jun  4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>209.67.38.49:36966
> >...
> >Jun  4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>207.239.35.71:33107
> >Jun  4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>199.95.208.85:47895
> >Jun  4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>199.95.207.91:42421
> >Jun  4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>208.32.211.71:46178
> >Jun  4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from 
>207.239.35.71:33108
> >...
> >cont. for several pages
>
> --
> Roger Marquis
> Roble Systems Consulting
> http://www.roble.com/
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]



-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to