Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

Leaf Leaf Sun, 02 Dec 2001 14:32:08 -0800

--- Kevin Kropf <[EMAIL PROTECTED]> wrote:
> 
>  Has anybody out their seen the following, hits on
> port 53?  
.... 
> Sample:
> Dec  1 14:48:57 kc_firewall kernel: Packet log:
> input DENY eth0 PROTO=6
> 216.34.68.2:15209 24.80.151.202:53 L=44 S=0x00 I=0
> F=0x0000 T=248 (#44)


No, but In a very cursory look through my recent logs
I have noticed one instance of about 100 packets from
one address denied in a 30 sec period. I'm guessing
it's a scan through my /27 block for some service on
port 27374, sample:

Nov 28 18:19:43 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.1.84.76:2017 216.136.89.98:27374
L=48 S=0x00 I=41493
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:43 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2018
216.136.89.99:27374 L=48 S=0x00 I=42517
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:44 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2019
216.136.89.100:27374 L=48 S=0x00 I=43285
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:45 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2022
216.136.89.103:27374 L=48 S=0x00 I=45077
   F=0x4000 T=111 SYN (#25)
   Nov 28 18:19:46 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2023
216.136.89.104:27374 L=48 S=0x00 I=45589
   F=0x4000 T=109 SYN (#25)
   Nov 28 18:19:46 firewall kernel: Packet log:
forward DENY eth2 PROTO=6 216.1.84.76:2024
216.136.89.105:27374 L=48 S=0x00 I=46869
   F=0x4000 T=111 SYN (#25)

Most of the time however, my logs show a stream of
denials occurring at a round-the-clock average rate of
roughly 3 per minute (occasionally a period of a few
minutes with nothing) of packets from various ip
addresses denied mostly by the 'forward' rule to
primarily ports 80 and 21, and occasionally ports 111
113 137 and others I'm sure, directed to various ip's
of my /27 block defined in my DMZ, but on which most
have no services running.  

Would someone care to tell me what some of these are? 
And is this fairly typical of what goes on out there?

I know I should be concerned enough to learn how to
identify whether any of this is any form of attack, or
whether it is port scanning that may be hampering our
network useage.  In the mean time, does anyone care to
look through the following and let me know if you see
anything of concern?

My network is 216.136.89.96/27, isp router, my
networks gateway: .97, Dachstein eth0: .101, eth2 DMZ:
.102

Thanks.


Samples from today:

Dec 2 10:09:00 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1412
216.136.89.107:80 L=48 S=0x00 I=24134
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:09:03 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1412
216.136.89.107:80 L=48 S=0x00 I=25139
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:10:42 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1550
216.136.89.125:80 L=48 S=0x00 I=64214
   F=0x4000 T=115 SYN (#25)
   Dec 2 10:10:44 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1550
216.136.89.125:80 L=48 S=0x00 I=65482
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:11 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1512
216.136.89.114:80 L=48 S=0x00 I=12453
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:14 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1512
216.136.89.114:80 L=48 S=0x00 I=13254
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:11:36 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80
L=44 S=0x00 I=10711
   F=0x4000 T=120 SYN (#25)
   Dec 2 10:11:39 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4181 216.136.89.118:80
L=44 S=0x00 I=35036
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:11:45 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80
L=44 S=0x00 I=9191
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:11:48 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4595 216.136.89.124:80
L=44 S=0x00 I=31725
   F=0x4000 T=121 SYN (#25)
   Dec 2 10:13:27 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1832
216.136.89.122:80 L=48 S=0x00 I=1362
   F=0x4000 T=115 SYN (#25)
   Dec 2 10:13:30 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1832
216.136.89.122:80 L=48 S=0x00 I=2563
   F=0x4000 T=116 SYN (#25)
   Dec 2 10:16:15 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.55.133.33:4520 216.136.89.112:80
L=48 S=0x00 I=21015
   F=0x4000 T=108 SYN (#25)
   Dec 2 10:16:32 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80
L=44 S=0x00 I=3569
   F=0x4000 T=120 SYN (#25)
   Dec 2 10:16:35 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.81.30:4645 216.136.89.100:80
L=44 S=0x00 I=59894
   F=0x4000 T=121 SYN (#25)

Dec 2 12:56:42 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1188
216.136.89.118:80 L=48 S=0x00 I=17741
   F=0x4000 T=115 SYN (#25)
   Dec 2 12:56:45 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1188
216.136.89.118:80 L=48 S=0x00 I=19303
   F=0x4000 T=116 SYN (#25)
   Dec 2 12:59:00 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2996
216.136.89.124:80 L=48 S=0x00 I=21931
   F=0x4000 T=115 SYN (#25)
   Dec 2 12:59:03 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2996
216.136.89.124:80 L=48 S=0x00 I=23524
   F=0x4000 T=116 SYN (#25)
   Dec 2 12:59:13 firewall kernel: martian source
2889fea9 for fffffea9, dev eth1
   Dec 2 12:59:13 firewall kernel: ll header: ff ff ff
ff ff ff 00 80 ad 3c 28 ca 08 00
   Dec 2 12:59:14 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1458
216.136.89.109:80 L=48 S=0x00 I=29044
   F=0x4000 T=116 SYN (#25)
   Dec 2 12:59:17 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1458
216.136.89.109:80 L=48 S=0x00 I=30994
   F=0x4000 T=116 SYN (#25)
   Dec 2 12:59:22 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2706
216.136.89.100:80 L=48 S=0x00 I=33267
   F=0x4000 T=115 SYN (#25)
   Dec 2 12:59:25 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2706
216.136.89.100:80 L=48 S=0x00 I=34480
   F=0x4000 T=116 SYN (#25)
   Dec 2 13:05:04 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2778
216.136.89.123:80 L=48 S=0x00 I=12229
   F=0x4000 T=115 SYN (#25)
   Dec 2 13:05:07 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:2778
216.136.89.123:80 L=48 S=0x00 I=13884
   F=0x4000 T=116 SYN (#25)
   Dec 2 13:05:48 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1534
216.136.89.120:80 L=48 S=0x00 I=32500
   F=0x4000 T=115 SYN (#25)
   Dec 2 13:05:50 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 216.136.86.206:1534
216.136.89.120:80 L=48 S=0x00 I=34369
   F=0x4000 T=116 SYN (#25)
   Dec 2 13:06:28 firewall kernel: Packet log: input
DENY eth0 PROTO=17 10.0.0.5:137 216.136.89.125:137
L=78 S=0x00 I=24279 F=0x0000
   T=109 (#10)
   Dec 2 13:06:29 firewall kernel: Packet log: input
DENY eth0 PROTO=17 10.0.0.5:137 216.136.89.125:137
L=78 S=0x00 I=24282 F=0x0000
   T=109 (#10)
   Dec 2 13:06:31 firewall kernel: Packet log: input
DENY eth0 PROTO=17 10.0.0.5:137 216.136.89.125:137
L=78 S=0x00 I=24283 F=0x0000
   T=109 (#10)

 Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3427
216.136.89.98:21 L=48 S=0x00 I=1999
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3428
216.136.89.99:21 L=48 S=0x00 I=2000
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3429
216.136.89.100:21 L=48 S=0x00 I=2001
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3432
216.136.89.103:21 L=48 S=0x00 I=2004
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3433
216.136.89.104:21 L=48 S=0x00 I=2005
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3434
216.136.89.105:21 L=48 S=0x00 I=2006
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3436
216.136.89.107:21 L=48 S=0x00 I=2008
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3437
216.136.89.108:21 L=48 S=0x00 I=2009
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3438
216.136.89.109:21 L=48 S=0x00 I=2010
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: forward
DENY eth2 PROTO=6 217.224.199.118:3441
216.136.89.112:21 L=48 S=0x00 I=2013
   F=0x4000 T=118 SYN (#25)
   Dec 2 13:48:59 firewall kernel: Packet log: input
DENY eth0 PROTO=6 217.224.199.118:3442
216.136.89.113:21 L=48 S=0x00 I=2014
   F=0x4000 T=118 SYN (#44)



__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Is this typical of what fills everybody's logs? -was- Re: [Leaf-user] Hits on port 53.

Reply via email to