The destination port is 23. That's telnet.
Someone's trying to telnet to you.
The reason you're seeing several drops is that TCP
retries its SYN packets a bunch of times if it fails
to connect.
I'd recommend brushing up on your TCP/IP basics a wee bit.
Jim Smart wrote:
>
> Hi,
>
> I am wondering if anyone knows what is causing these in our logs ?
>
> Sep 23 03:56:18 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.2(23), 1 packet
> Sep 23 03:56:19 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.50(23), 1 packet
> Sep 23 03:56:20 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.102(23), 1 packet
> Sep 23 03:56:21 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.152(23), 1 packet
> Sep 23 03:56:22 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.201(23), 1 packet
> Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.253(23), 1 packet
> Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> 203.xx.xx.254(23), 1 packet
>
> Observations:
> - The source port is always the same, and is generally port 47850.
> - The destination port is always port 23.
> - It is too quick to be manually done.
> - The size of the gaps in the address space is variable.
> - The only continent they have not come from is Africa.
>
> I would like to know what is being used to do the job ? why they
> are happening ? and what may follow ?
>
> Thank you in advance,
>
> Jim Smart
> Brisbane, Australia
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
