I have a piece of equipment connected to the public internet for something I'm doing with a friend. It is protected by an access-list restricting the source address and the particular application.
However, in monitoring the device, I am seeing what appear to be not only TCP port scans, but IP protocol scans. I.e. a series of inquiries using different successive IP protocol numbers. 17:43:26: datagramsize=48, IP 87: s=x.x.x.x (local), d=12.246.161.19, totl 17:43:26: datagramsize=48, IP 87: s=x.x.x.x (local), d=12.246.161.19 (Fast 17:43:26: datagramsize=70, IP 87: s=x.x.x.x (local), d=12.246.161.19 (Fast 17:43:32: datagramsize=48, IP 88: s=x.x.x.x (local), d=12.246.161.19, totlen 56, 17:56:30: datagramsize=48, IP 90: s=x.x.x.x (local), d=61.37.239.23, totle 17:56:36: datagramsize=48, IP 91: s=x.x.x.x (local), d=61.37.239.23, totle ( this output is showing the reply my device is sending to the IP's in question. ) at least, I am assuming that the IP XX = the IP protocol number, as reported by the debug. Just wondering if one of you security gurus might shed some light here, seeing as how out of touch I seem to be. This one of the standard hacking procedures? Been around a while? new because so many entities are now doing a lot more to crack down on TCP port scanning? I checked the various registries. The behavior is coming from several places, some Thailand, some Korea, some from customers of ATT.net Just looking to increase my awareness. thanks. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49358&t=49358 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
