[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] UDP Scans

Subject: Re: [cobalt-security] UDP Scans
From: Jan P Tietze <jptietze@xxxxxxxxxxx>
Date: Fri, 06 Jul 2001 14:41:17 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I would guess this could be a Stacheldraht or some such DDoS agent on your
network that is spoofing only the last byte of its source IP address to escape
filtering AND successfully hide its identity. I've seen this technique more
than once. This could be further investigated by looking at dumps of the UDP
packets, and checking the source ethernet address of the frames.

Jan

Simon Wilson wrote:

> Hi
> I know I asked this the other day but I've still no answer here or from any
> other source.
> When I switch on Portsentry it reports 100s of scans on UDP from what I
> assume are all the other boxes on the farm my box is on. ie:
>
> 222.222.222.30
> 222.222.222.45
> 222.222.222.199
> 222.222.222.169
> 222.222.222.178
> 222.222.222.100
>
> In other words they have the same IP address as me except the last number.
> The go on scanning, and portsentry goes on banning them all. On and on and
> on until the log files are enormous.
> What is going on? is this normal or have I set it up wrong?
> The TCP part of portsentry seems to work OK picking up scans on 111 from
> Korea etc. but the UDP one just goes nuts...100's of repeated attempts all
> from similar address.

References:
- [cobalt-security] UDP Scans
  - From: Simon Wilson

Prev by Date: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
Next by Date: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
Previous by thread: Re: [cobalt-security] UDP Scans
Next by thread: Re: [cobalt-security] UDP Scans

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index