Within the last week, we've noticed a large number of attempted connects to
port 21 on the external interface of our firewall. There are usually 20-40
different IP's, attempting to connect 3-8 times (usually 4 times a piece,
with some 3 and some 8 or 9). They make attempts within minutes of one
another, as if they are attempting to flood the port. We block that port by
default, so nothing is getting in, but I'm leary of the intent. The IPS
come from all over the place....mostly the US (lots of colleges and ISP's),
but some from France, Canada, and Panama. It seems to me he's either
cracked into these accounts or is more likely spoofing addresses.
Is there a generally accepted way to deal with this? I've thought of mailing
the admins of at least the colleges to inform them they may have been
hacked. I'm also going to set up a packet sniffer to see what these packets
look like. Other than that, would anyone have any suggestions?
Thanks,
John
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
