Just a heads up and to see if others are seeing this activity. I'm getting probed slowly from perhaps 1 system on a dial-up (DSL?) line. The current IP addresses are AOL based and change but are between 64.12.151.(129 - 137). Prior to this set of IPs was a series from 216.234.248.73 and a series from 206.40.47.6 and 206.46.188.(39 - 40) with an occasional different IP tossed in. In general, it looks like one "set" of IP addresses is primarily used for while followed by a different set. For example, I'm seeing the 64.x.x.x addresses now but not the 216.x.x.x or 206.x.x.x addresses. When I was seeing the 216.x.x.x addresses, I wasn't seeing the 206.x.x.x or 64.x.x.x addresses.
It doesn't appear that the probes are occurring from multiple IP addresses at the same time; I'm looking at hourly summaries so would need to look at the raw information to be absolutely positive of that. I get a couple of hits on each unsupported port and all within a short time. It appears that other ports may be intermixed. After a maximum of about 4 probes to a particular port, I rarely, if ever, see that port used again regardless of IP or ISP. The ports are also not consecutive (ex: 3884, 4004, 1988, 1920, 3902, 2629, 24968, 2629, 4139, ..., generally > 1000 and < 5000. I get probed on common ports frequently from a variety of IP addresses - the characteristic of the slow probes is that they are all non-repeating non-common ports. This seems to indicate a methodical intentional probe designed to be "invisible". My normal "port scan" monitor hasn't kicked off. I get only a couple of ports (generally less that 6) probed per hour. This has occurring pretty consistently for some while although nothing yet today. The probes generally occur during office hours. Related to the latest big chunk of IP addresses (64.12.151.x): It appears that a couple of ports are tried followed by a change in IP addresses and more ports. I have no indication that any other activity related to these IP addresses (other than DNS lookups) has occurred - only port scans to unsupported ports. I haven't looked to see if this is true for the other IP addresses. The probes seem to have generally settled on 64.12.151.x for the past couple of days. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
