[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] attackalert: Unknown Type
- Subject: RE: [cobalt-security] attackalert: Unknown Type
- From: "Drage, Nicholas" <nickd@xxxxxxxxx>
- Date: Fri, 22 Jun 2001 09:03:22 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> > Jun 20 10:52:36 www portsentry[1003]: attackalert: Unknown Type:
> > Packet Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
> > 195.101.179.1/195.101.179.1 to TCP port: 111
>
> To my untrained eye, this looks like someone's trying to do a syn
> flood attack on you?
Unlikely I would have said, especially as I would be very surprised if the
original poster has anything running on port 111 to flood.
How many of these entries were in the log in total?
> Or maybe just a SYN scan?
Slightly different, SYN and FIN set is a scan by a particular port scanner
that tends to come with worms, IIRC. ( If this sounds familiar to someone
can they post a URL, as I'm sure I've read that information on an
authoritative site but for the life of me I can't remember which site, let
alone the exact webpage. )
> Portsentry blocked it, though, and is ignoring further attempted
> connections/packets from that IP.
I wouldn't be surprised if the source is a compromised host, might be worth
contacting the administrators of that network.
Why you received multiple connections to the same host is intriguing, unless
this kind of scanner sends a couple of packets, and because portsentry
started blocking them it kept trying to get a response out of the second
packet?
--
Nick Drage - Security Architecture - Demon Internet - Thus PLC
As of Thu 21/06/2001 at 16:00
This computer has been up for 7 days, 22 hours, 56 minutes, 11 seconds.