Hi Folks, Lately I have been seeing a lot of these: [03/Jan/2001 14:08:48] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:08:50] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:08:53] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:08:59] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:09:11] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:09:36] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:10:24] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 [03/Jan/2001 14:10:58] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:25464 [03/Jan/2001 14:11:00] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:25464 [03/Jan/2001 14:11:03] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:25464 [03/Jan/2001 14:11:11] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:25464 [03/Jan/2001 14:11:25] Packet filter: ACL 3:45 Internet: drop packet in: TCP 192.168.27.24:80 -> 146.115.161.33:24021 The destination address is always my firewall. The inbound source address appears to be spoofed, it's out of one of the blocks reserved for local intranet blocks. First question, how can there be any value in spoofing these local addresses and then sending me packets? How could they expect to get any results routed back to them? Secondly, I can't find any information on the ports they are scanning. These ports vary (as do the source IP addresses, always in the reserved range though)- I have seen 12135, 12793, 24021,25464,13623, 13861 ,14789, 16576,17097,16703& 15661- none of which I can find on either of the two sources I use to look up known port numbers. I am also seeing a bunch of "traditional" ip increment scans on port 27374 and 9088 for which I am uncertain as to the target, as well as the "normal" (to use THAT word very loosely ;-) 111 scans I see all the time. Any ideas? I get real nervous when I don't have a clue what they are looking for... Guy Skaggs - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
