dont dork around - block all the ranges of addys you've seen and add more on the choke router - internet facing interfaces - inbound.
send him ip redirects if you can to see if you can knock down his connections. he is a piss ant.let your firewall deal with traffic that at least looks like it s/be passing. piranha... > Just a heads up and to see if others are seeing this activity. > > I'm getting probed slowly from perhaps 1 system on a dial-up > (DSL?) line. The current IP addresses are AOL based and change but > are between 64.12.151.(129 - 137). Prior to this set of IPs was a > series from 216.234.248.73 and a series from 206.40.47.6 and > 206.46.188.(39 - 40) with an occasional different IP tossed in. In > general, it looks like one "set" of IP addresses is primarily used > for while followed by a different set. For example, I'm seeing the > 64.x.x.x addresses now but not the 216.x.x.x or 206.x.x.x > addresses. When I was seeing the 216.x.x.x addresses, I wasn't > seeing the 206.x.x.x or 64.x.x.x addresses. > > It doesn't appear that the probes are occurring from multiple IP > addresses at the same time; I'm looking at hourly summaries so > would need to look at the raw information to be absolutely > positive of that. > > I get a couple of hits on each unsupported port and all within a > short time. It appears that other ports may be intermixed. After a > maximum of about 4 probes to a particular port, I rarely, if ever, > see that port used again regardless of IP or ISP. The ports are > also not consecutive (ex: 3884, 4004, 1988, 1920, 3902, 2629, > 24968, 2629, 4139, ..., generally > 1000 and < 5000. > > > I get probed on common ports frequently from a variety of IP > addresses - the characteristic of the slow probes is that they are > all non-repeating non-common ports. This seems to indicate a > methodical intentional probe designed to be "invisible". My normal > "port scan" monitor hasn't kicked off. > > I get only a couple of ports (generally less that 6) probed per > hour. This has occurring pretty consistently for some while > although nothing yet today. The probes generally occur during > office hours. > > Related to the latest big chunk of IP addresses (64.12.151.x): It > appears that a couple of ports are tried followed by a change in > IP addresses and more ports. I have no indication that any other > activity related to these IP addresses (other than DNS lookups) > has occurred - only port scans to unsupported ports. I haven't > looked to see if this is true for the other IP addresses. The > probes seem to have generally settled on 64.12.151.x for the past > couple of days. _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians
