RE: [FW1] Network scan

c_siddika Thu, 13 Jul 2000 08:25:42 -0700

I investigated the problem further and the source and destination address
change slightly with same service and source port. It is one of our internal
firewall and when I sniff the traffic on other firewalls that interface with
the outside world I don't see any traffic from these sources. Here is a snap
shot of firewall log. I am seeing about 40 packets per minutes.

Service Source          Destination                     Protocol        Rule
S_Port  Info
618             46.20.173.42    116.65.0.0                      ip
0               52677           h_len 24 ip_vers 0
47215           99.20.153.100   3.105.0.0                       ip
0               3098            h_len 24 ip_vers 0
47215           99.20.153.89    3.116.0.0                       ip
0               3098            h_len 24 ip_vers 0
47215           99.20.153.88    3.117.0.0                       ip
0               3098            h_len 24 ip_vers 0
509             114.20.248.76   83.89.0.0                       ip
0               16422           h_len 24 ip_vers 0
45249           51.20.196.41    101.20.0.0                      ip
0               52447           h_len 24 ip_vers 0
48925           113.20.194.94   107.43.0.0                      ip
0               41505           h_len 24 ip_vers 0
48925           113.20.194.94   109.43.0.0                      ip
0               41505           h_len 24 ip_vers 0
48925           113.20.194.94   110.43.0.0                      ip
0               41505           h_len 24 ip_vers 0
4610            249.20.171.188  103.90.0.0                      ip
0               53249           h_len 24 ip_vers 0
56985           115.20.155.119  143.52.0.0                      ip
0               33667           h_len 24 ip_vers 0
56985           115.20.154.119  144.52.0.0                      ip
0               33667           h_len 24 ip_vers 0
56985           115.20.141.119  157.52.0.0                      ip
0               33667           h_len 24 ip_vers 0

I'd appreciate if someone can give pointers in tracking it down.

Regards

Siddika


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 2:26 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Network scan



Hi All,

I am seeing strange what appears to be a port scan where the source address
keeps changing from classes A, B and C and the destination is always a
network like 91.58.0.0, 101.20.0.0, 206.67.0.0, etc. Most of source ports
used are in the high range above 10000. The Info field on the log says h_len
24 ip_vers 0

Does anyone know what it is. The packets are being dropped on rule 0 at the
firewall.

Siddika


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Network scan

Reply via email to
