I don't really see anything unusual. It's very common, and not unexpected, for public IP addresses to be regularly scanned. The scanning may be limited to simple icmp pings, or may be more sophisticated using tools like nmap. To be safe, you should always harden any host that's going to appear on the public Internet...especially if that host is also allowed access to your internal network.
If you want more info on what's happening, deploy snort (www.snort.org) and see what it tells you. If you notice that someone is definitely trying to exploit your systems, then you may want to report the incident to the offender's ISP...otherwise, there's really nothing illegal about simple occasional pings, other than they may violate some ISP's TOS. HTH, Craig At 03:45 PM 7/8/2002 +0000, you wrote: >I'm currently doing something that requires a particular piece of equipment >of mine be on the public internet. I have use of four public IP addresses >from my ISP, but for the most part I have just my PC's connected via my >firewall device, so that I am generally using only one of those IP's. Most >of the time, the other three are not being used. > >In any case, over the past couple of days that I have had something >connected, I have noticed "something" happening on the piece of equipment. > >IP: s=64.115.76.211 (Ethernet0), d=X.X.X.X, len 48, access denied >IP: s=X.X.X.X (local), d=64.115.76.211 (Ethernet0), len 56, sending >IP: s=64.115.76.211 (Ethernet0), d=X.X.X.X, len 48, access denied >IP: s=X.X.X.X (local), d=64.115.76.211 (Ethernet0), len 56, sending >IP: s=62.248.145.87 (Ethernet0), d=X.X.X.X, len 48, access denied >IP: s=X.X.X.X (local), d=62.248.145.87 (Ethernet0), len 56, sending >IP: s=62.248.145.87 (Ethernet0), d=X.X.X.X, len 48, access denied >IP: s=X.X.X.X (local), d=62.248.145.87 (Ethernet0), len 56, sending >IP: s=62.248.145.87 (Ethernet0), d=X.X.X.X, len 48, access denied >IP: s=X.X.X.X (local), d=62.248.145.87 (Ethernet0), len 56, sending >IP: s=168.154.165.13 (Ethernet0), d=X.X.X.X, len 44, access denied >IP: s=X.X.X.X (local), d=168.154.165.13 (Ethernet0), len 56, sending >IP: s=168.154.165.13 (Ethernet0), d=X.X.X.X, len 44, access denied >IP: s=X.X.X.X (local), d=168.154.165.13 (Ethernet0), len 56, sending >IP: s=168.154.165.13 (Ethernet0), d=X.X.X.X, len 40, access denied >IP: s=X.X.X.X (local), d=168.154.165.13 (Ethernet0), len 56, sending >IP: s=209.41.111.6 (Ethernet0), d=X.X.X.X, len 44, access denied >IP: s=X.X.X.X (local), d=209.41.111.6 (Ethernet0), len 56, sending >IP: s=209.41.111.6 (Ethernet0), d=X.X.X.X, len 44, access denied >IP: s=X.X.X.X (local), d=209.41.111.6 (Ethernet0), len 56, sending >IP: s=209.41.111.6 (Ethernet0), d=X.X.X.X, len 44, access denied >IP: s=X.X.X.X (local), d=209.41.111.6 (Ethernet0), len 56, sending >! > >Access is denied because the source IP's are not meeting certain >requirements, like maybe using forbidden ports, or maybe being from >forbidden subnets or maybe because they are communists. > >Just wondering. Accident? Something to watch? Something to report? > >Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48342&t=48342 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
