Figuring it out involved tcpdump at my firewall. My IMail and IIS logs don't show anything unusual. I don't really understand what tcpdump tells me, except that it shows 147.237.72.84 hitting everything I run on port 80, but the replies can't get back...
Here's a snatch of what I'm getting: Executing TCP Dump query Running: tcpdump -l -ifxp1 -vv -n 12:08:34.821867 216.0.126.11.80 > 147.237.72.84.35372: S 2607597397:2607597397(0) ack 2999386113 win 16616 (DF) (ttl 127, id 27713) 12:08:34.821889 216.0.126.10.80 > 147.237.72.84.64021: S 2607536915:2607536915(0) ack 407175169 win 16616 (DF) (ttl 127, id 27714) 12:08:34.821902 216.0.126.33.80 > 147.237.72.84.49932: S 2607691434:2607691434(0) ack 3576168449 win 16616 (DF) (ttl 127, id 27715) 12:08:34.821929 216.0.126.3.80 > 147.237.72.84.6226: S 2607632953:2607632953(0) ack 2462056449 win 16616 (DF) (ttl 127, id 27716) 12:08:34.848294 65.194.73.102 > 216.0.126.11: icmp: host 147.237.72.84 unreachable (ttl 244, id 0) 12:08:34.848797 65.194.73.102 > 216.0.126.10: icmp: host 147.237.72.84 unreachable (ttl 244, id 0) 12:08:34.849218 65.194.73.102 > 216.0.126.33: icmp: host 147.237.72.84 unreachable (ttl 244, id 0) 12:08:34.849464 65.194.73.102 > 216.0.126.3: icmp: host 147.237.72.84 unreachable (ttl 244, id 0) 12:08:34.860411 216.0.126.30.80 > 147.237.72.84.40484: S 975475210:975475210(0) ack 2328297473 win 16616 (DF) (ttl 127, id 49314) 12:08:34.860431 216.0.126.98.80 > 147.237.72.84.44440: S 975788211:975788211(0) ack 3325624321 win 16616 (DF) (ttl 127, id 49316) 12:08:34.860448 216.0.126.31.80 > 147.237.72.84.55419: S 975512371:975512371(0) ack 1403650049 win 16616 (DF) (ttl 127, id 49315) 12:08:34.860471 216.0.126.5.80 > 147.237.72.84.10025: S 975647138:975647138(0) ack 840826881 win 16616 (DF) (ttl 127, id 49317) 12:08:34.860485 216.0.126.106.80 > 147.237.72.84.5322: S 975392563:975392563(0) ack 2416443393 win 16616 (DF) (ttl 127, id 49318) 12:08:34.860512 216.0.126.29.80 > 147.237.72.84.14558: S 975429720:975429720(0) ack 41484289 win 16616 (DF) (ttl 127, id 49319) 12:08:34.860525 216.0.126.99.80 > 147.237.72.84.24714: S 975830059:975830059(0) ack 3864657921 win 16616 (DF) (ttl 127, id 49320) Then I called our T1 provider, Allegiance (formerly Intermedia, formerly Digex) and when support answered I said just "info.gov.israel ringing any bells?" and the answer back was "Oh god, another one?" They're working to put the right upper-level blocking in place - I can't seem to stop it at the firewall. -- Dave Salovesh RAM Associates, Inc. (800) 543-3635 > -----Original Message----- > From: Ted Sorrells [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 26, 2002 12:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [IMail Forum] Port 80 Problems > > > Hi Dave -- > > How were you able to determine this? The only thing that > looks strange to > my untrained eye is the following entries in my logs: > > 20020426 012830 127.0.0.1 SMTPD (14EC00C6) > [216.0.153.77] connect > 216.0.153.77 port 4702 > 20020426 012941 127.0.0.1 SMTPD (150F00C6) > [216.0.153.77] connect > 216.0.153.77 port 4707 > 20020426 013042 127.0.0.1 SMTPD (152D00C6) > [216.0.153.77] connect > 216.0.153.77 port 4712 > 20020426 013153 127.0.0.1 SMTPD (154F00C6) > [216.0.153.77] connect > 216.0.153.77 port 4717 > 20020426 013254 127.0.0.1 SMTPD (156E00C6) > [216.0.153.77] connect > 216.0.153.77 port 4722 > 20020426 013405 127.0.0.1 SMTPD (159000C6) > [216.0.153.77] connect > 216.0.153.77 port 4729 > 20020426 013506 127.0.0.1 SMTPD (15AE00C6) > [216.0.153.77] connect > 216.0.153.77 port 4734 > 20020426 013617 127.0.0.1 SMTPD (15D100C6) > [216.0.153.77] connect > 216.0.153.77 port 4739 > 20020426 013718 127.0.0.1 SMTPD (15EF00C6) > [216.0.153.77] connect > 216.0.153.77 port 4744 > 20020426 013829 127.0.0.1 SMTPD (161200C6) > [216.0.153.77] connect > 216.0.153.77 port 4749 > 20020426 013930 127.0.0.1 SMTPD (163000C6) > [216.0.153.77] connect > 216.0.153.77 port 4754 > 20020426 014030 127.0.0.1 SMTPD (18B500C4) > [216.0.153.77] connect > 216.0.153.77 port 4759 > 20020426 014131 127.0.0.1 SMTPD (166A00C6) > [216.0.153.77] connect > 216.0.153.77 port 4764 > 20020426 014231 127.0.0.1 SMTPD (168800C6) > [216.0.153.77] connect > 216.0.153.77 port 4769 > > None of these are connected with any sessions, at least as > far as I can > tell. Is this "normal?" > > Thanks! > > > At 11:43 AM 4/26/2002 -0400, you wrote: > > > -----Original Message----- > > > From: Ted Sorrells [mailto:[EMAIL PROTECTED]] > > > > > Over the last 24 hours, I've had two servers fail to > answer on port > > > 80. > > > >I'm tearing my hair out on the same issue. > > > >Looks like a DoS involving 147.237.72.91 - www.info.gov.il, > but that could > >be spoofed. > > > >Web messaging works on 8383, and IIS on new IP addresses > works on 80, so > >they probably did a scan a while ago and are now targeting > what they found. > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > Please visit the Knowledge Base for answers to frequently asked > questions: http://www.ipswitch.com/support/IMail/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
