We recently began seeing an interesting pattern of tcp packets, from 6
unique IPs, none with reverse dns, 5 or 6 packets per src IP to a single
destination IP, port 7 (echo). These packets are all logged within a few
seconds of each other which leads me to suspect that most of them could be
spoofed. The "source" IPs are:
199.95.207.91 DOUBLECLICK.NET
199.95.208.85 DOUBLECLICK.NET
207.239.35.71 @PLAN (webplan.net)
208.32.211.71 DOUBLECLICK.NET
209.67.38.49 EXODUS.NET (no reverse dns in subnet)
209.67.38.50 EXODUS.NET (no reverse dns in subnet)
Anyone else seen this traffic pattern?
>Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:64314
>Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>208.32.211.71:44619
>Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.208.85:45641
>Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.207.91:40861
>Jun 4 07:44:59 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>209.67.38.49:36966
>...
>Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:33107
>Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.208.85:47895
>Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>199.95.207.91:42421
>Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>208.32.211.71:46178
>Jun 4 07:45:35 server1 /kernel: Connection attempt to TCP 192.168.1.1:7 from
>207.239.35.71:33108
>...
>cont. for several pages
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
