On Wed, 8 Dec 1999, Steve Cody wrote:
> Here is an excerpt from my log file. I use IPCHAINS. Could this be someone
> making connection attempts and is spoofing their IP address? This is a
Very likely, I'd say. I seem to remember some nmap documentation
that allows the scanner to make additional packets come from decoy
addresses, thereby tying up your time trying to figure out which is the
real attacker.
> small sample, but there were multiple connection attempts from each IP
> address. There are several distinct addresses. Within a 13 minute period,
> these connections were from 4 different addresses. What can be gained by
> the connection attempts they are trying? Connecting to port 17478, 6970,
> and 3202..
17478/tcp: no clue
6970/udp: realaudio (http://www.real.com)
3202/tcp: no clue
[packet logs snipped]
Cheers,
- Bill
---------------------------------------------------------------------------
I'm not tense, just terribly, terribly alert.
(Courtesy of "Michael J. Dark" <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
