OVER 3100 seperate instances on Sunday night. I've had a number of customers who use Telstra ADSL at home reporting extreme levels of scanning over the weekend. See extracts of 3 messages from one customer below - he hade 4 different IP addresses over the weekend.
These are their home networks not commercial systems so they are all using Netgear firewall routers. I don't have any commercial ADSL installations & so don't have detailed logs - only security alerts from these routers (extract below). The "attacks" are just scans but the numbers are so high. As you probably know 20 per month is the norm for this sought of activity Has anyone else noticed this? If you have a production box managing ADSL can you have a look at your logs. Pigbond Support have been as helpful as ever telling customers to send an email to [EMAIL PROTECTED] Can anyone help confirm how widespread this activity has been your comments / thoughts most welcome. Thanks John Morrissey Message #1 Sent: Friday, August 23, 2002 8:50 PM Subject: paul v question - not urgent - [Fwd: NETGEAR *Security Alert* 0af90d] > today I received all these attack notices through the DSL router, this > email being an example of the report the router sends me. In total there > were 71, all registered sequentially, but I notice that the origins are > different, e.g.: > > # Time Packet > Information Reason Action > 1|Aug 23 02 |From:209.179.244.86 To:144.137.99.190 |attack > |block > | 13:54:17 |TCP src port:51692 dest port:06347 |ports scan > | > End of Security Log > > # Time Packet > Information Reason Action > 1|Aug 23 02 |From:12.227.71.78 To:144.137.99.190 |attack > |block > | 13:54:10 |TCP src port:03883 dest port:06347 |ports scan > | > End of Security Log > > # Time Packet > Information Reason Action > 1|Aug 23 02 |From:172.144.131.53 To:144.137.99.190 |attack > |block > | 13:54:08 |TCP src port:01793 dest port:06347 |ports scan > | > End of Security Log > > any clues on this? and what can i do to respond with a "f*<k off" or > does that just invite trouble? > > should i be at all concerned about this bout? > > paul > Message #2 Sent Saturday At 10:45am thanks for the feedback. i would write the email as suggested but there were 71 attacks not just 3, and now as i write there have been another 800+: what the hell could be going on? Message #3 Sent Today, Monday Aug 26 at How about 3131 new attacks on sunday night? If i had a POP email account, the defence alert emails would take a day to manage, If I reset my router and modem, since I have a dynamic IP address, would this at least have a chance of getting rid of the attacks to the existing address -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
