Oh my. This time I'll match the subjects. :-< "Michael D. Schleif" <[EMAIL PROTECTED]> wrote: > Is there some meaning to getting 27,000 of these in five (5) minutes > yesterday? > > Packet log: input DENY wan1 PROTO=17 207.112.196.241:48785 x.y.z.157:7 > L=1494 S=0x00 I=37458 F=0x0000 T=126 (#48) > > Obviously, it's probably not a good thing; but, I'm trying to figure out > what they may have been trying to do . . .
port 7 is the echo service. If open it can be used to help determine the type of OS the attacker is up against. This is certianly not a nmap scan. I don't know of any vulnerabilities except denial of service. If your logging partition, /var is in the same directory as /root, swap, /etc, and /home i.e. just one massive linux partition, then your var directory could fill up and clobber your firewall. One of the best things that DCD did was to put var in another partition. In the switch over from @home to @cox my /var partition filled up. @home used static ips coupled with long dhcp requests to retrieve them. @cox uses dhcp and broadcasts on 255.255.255.255. The separate var partition protected me here. All of a sudden my /var partition was full because it was logging all the dhcp requests on the network. The firewall stayed up, however. The book "Maximum Linux Security" says that partitioning is one of the first steps of securing you system. The author spends most all of chapter three describing partitioning. He also laments that most of the major distros do not spend enough time talking about the issue because it requires difficult choices. So there's one idea of what could have happened. I wonder if it was a DDos attack? Were all the ip addresses the same? Greg Morgan _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
