Re: [cobalt-security] UDP Scans

Fri, 06 Jul 2001 14:04:58 -0700 

At 7/6/01 10:58 AM +0100, you wrote:
>I know I asked this the other day but I've still no answer here or from any
>other source.

Are you subscribed to the Abacus lists? Get them at http://www.psionic.com

>When I switch on Portsentry it reports 100s of scans on UDP from what I
>assume are all the other boxes on the farm my box is on. ie:
>
>222.222.222.30
>222.222.222.45
>222.222.222.199
>222.222.222.169
>222.222.222.178
>222.222.222.100

Source and destination ports?

>In other words they have the same IP address as me except the last number.

Let's be clear about this: an IP address is the whole thing... your text 
sounds very confusing. Are they on the same network? What is your netmask? 
The fact that any of the numbers is the same, by the way, is pretty much 
irrelevant... they're not yours.

>The go on scanning, and portsentry goes on banning them all. On and on and
>on until the log files are enormous.

Something wrong here... if they "scan" and they get banned, why are you 
seeing future scans from them? They should just disappear off the net...

>What is going on? is this normal or have I set it up wrong?

Guessing you've got it setup wrong.

>The TCP part of portsentry seems to work OK picking up scans on 111 from
>Korea etc. but the UDP one just goes nuts...100's of repeated attempts all
>from similar address.

100's? What do you mean by "scan"? You need to provide detailed, exact 
information. Right now you're saying the equivalent of "I've got lots of 
noise from my neighbors," but you haven't defined lots, you haven't made 
clear what you call noise, and you haven't specified anything else.

Hint: write a short message. Make sure it's clear (your definition of words 
may differ from others' so be sure). Around here a "scan" is the act of 
probing a large number of your ports in quick succession; is this what's 
happening?

After this short message, find all the log messages from PortSentry for an 
hour or so if it's not too much info and post it at the bottom of your 
message. Just enough to be useful, not 500 lines.


--
Rodolfo J. Paiz
[EMAIL PROTECTED]

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to