On Fri, 1 Jun 2001, Dave Horsfall wrote:
> I've been seeing a few of these lately, all sent to different addresses:
>
> May 31 10:30:10 denied tcp 255.255.255.255(31337) -> xxx.xxx.xxx.106(515), 1 packet
Check and see if you also get similar packets from other addresses. Also,
see if the TTL is the same on all of them.
>
> Is this some weird stealth probe, causing reject packets to be broadcasted
> back (which they aren't, BTW), or just broken kiddie-ware?
It could be some DDoS tool or worm, or a scan that's also spoofing things
like broadcast to try to hide in the noise. It's probably worth looking
at the TTL, and if you've got a sniffer you can use to snarf everything
with the same TTL off the wire, analyzing that.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
