Possibly.
They might be trying to save scanning time by looking for something at .1
assuming there is usually a router there, and the lack of a router results
in lack of an "interesting" network. I've occasionally seen a combo of .1
and .254 catching the first and last host on a class C. I have also
(rarely) seen the same type of scan with strides of 4, 8, 16, 32, 64 or 128,
apparently looking for the first or last host address in a VLSM network.
Ken Seefried, CTO
DigitalMoJo, Inc.
-----Original Message-----
From: Dave Horsfall
To: Firewalls List
Sent: 1/22/01 7:13 PM
Subject: Kiddies like address *.1 ?
I'm starting to see all sorts of probes to address *.1 (samples below);
is
this because kiddies expect to see a server there? I keep it free so it
gets scanned first :-)
[207.236.111.23] resolves to "[207.236.111.23]"
Jan 22 20:57:17 denied udp 207.236.111.23(38260) -> XXX.1(49276), 1
packet
Jan 22 20:57:17 denied udp 207.236.111.23(38260) -> XXX.1(49292), 1
packet
Jan 22 20:57:17 denied udp 207.236.111.23(38260) -> XXX.1(49293), 1
packet
Etc. And:
[24.114.40.164] resolves to "cr386525-a.etob1.on.wave.home.com"
Jan 23 02:55:13 denied udp 24.114.40.164(63380) -> XXX.1(63537), 1
packet
Jan 23 02:55:13 denied udp 24.114.40.164(63380) -> XXX.1(63553), 1
packet
Jan 23 02:55:13 denied udp 24.114.40.164(63380) -> XXX.1(63554), 1
packet
One of these days, I'll put a listener on that address, such as CHARGEN
or
a BSoD or something...
-- Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
