[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] UDP Scans
- Subject: Re: [cobalt-security] UDP Scans
- From: "Rodolfo J. Paiz" <rpaiz@xxxxxxxxxxxxxx>
- Date: Fri, 06 Jul 2001 18:03:19 -0300
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 7/6/01 10:58 AM +0100, you wrote:
I know I asked this the other day but I've still no answer here or from any
other source.
Are you subscribed to the Abacus lists? Get them at http://www.psionic.com
When I switch on Portsentry it reports 100s of scans on UDP from what I
assume are all the other boxes on the farm my box is on. ie:
222.222.222.30
222.222.222.45
222.222.222.199
222.222.222.169
222.222.222.178
222.222.222.100
Source and destination ports?
In other words they have the same IP address as me except the last number.
Let's be clear about this: an IP address is the whole thing... your text
sounds very confusing. Are they on the same network? What is your netmask?
The fact that any of the numbers is the same, by the way, is pretty much
irrelevant... they're not yours.
The go on scanning, and portsentry goes on banning them all. On and on and
on until the log files are enormous.
Something wrong here... if they "scan" and they get banned, why are you
seeing future scans from them? They should just disappear off the net...
What is going on? is this normal or have I set it up wrong?
Guessing you've got it setup wrong.
The TCP part of portsentry seems to work OK picking up scans on 111 from
Korea etc. but the UDP one just goes nuts...100's of repeated attempts all
from similar address.
100's? What do you mean by "scan"? You need to provide detailed, exact
information. Right now you're saying the equivalent of "I've got lots of
noise from my neighbors," but you haven't defined lots, you haven't made
clear what you call noise, and you haven't specified anything else.
Hint: write a short message. Make sure it's clear (your definition of words
may differ from others' so be sure). Around here a "scan" is the act of
probing a large number of your ports in quick succession; is this what's
happening?
After this short message, find all the log messages from PortSentry for an
hour or so if it's not too much info and post it at the bottom of your
message. Just enough to be useful, not 500 lines.
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx