This as well can be a syn attack.. I have seen it on Conseal PC Firewall, linux fw, and this Cisco Firewall. If the Source Address is different, then this sounds like a syn attack. Remember if it was to connect to a telnet daemon all those half open sessions, would cause the system to wait until they would timeout. This was a primary attack of IRC Servers after SNuke was prevented, was and still is syn attacks. Jason On 23 Sep 99, at 11:18, Firewalls-Digest wrote: > Date: Thu, 23 Sep 1999 12:40:08 +0000 > From: Tim Kramer <[EMAIL PROTECTED]> > Subject: Re: What sort of scan is this ? > > Actually, since the destination IP is different in each case, > I think that someone is searching for telnet services within > your network segment. > > Tim Kramer > > > Mikael Olsson wrote: > > > The destination port is 23. That's telnet. > > Someone's trying to telnet to you. > > The reason you're seeing several drops is that TCP > > retries its SYN packets a bunch of times if it fails > > to connect. > > > > I'd recommend brushing up on your TCP/IP basics a wee bit. > > > > Jim Smart wrote: > > > > > > Hi, > > > > > > I am wondering if anyone knows what is causing these in our logs ? > > > > > > Sep 23 03:56:18 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.2(23), 1 packet > > > Sep 23 03:56:19 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.50(23), 1 packet > > > Sep 23 03:56:20 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.102(23), 1 packet > > > Sep 23 03:56:21 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.152(23), 1 packet > > > Sep 23 03:56:22 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.201(23), 1 packet > > > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.253(23), 1 packet > > > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) -> > > > 203.xx.xx.254(23), 1 packet > > > > > > Observations: > > > - The source port is always the same, and is generally port 47850. > > > - The destination port is always port 23. > > > - It is too quick to be manually done. > > > - The size of the gaps in the address space is variable. > > > - The only continent they have not come from is Africa. > > > > > > I would like to know what is being used to do the job ? why they > > > are happening ? and what may follow ? > > > > > > Thank you in advance, > > > > > > Jim Smart > > > Brisbane, Australia > > > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
