Today at 1:22am, Wei-shi Tsai expounded:
++ I've been getting this in my logs. My logs have grown to monstruous
++ sizes because of this:
++
++ Oct 17 22:28:17 belldandy portsentry[116]: attackalert: UDP scan from
++ host: resnet-47-9.dorm.utexas.edu/129.116.47.9 to UDP port: 631
++ Oct 17 22:28:17 belldandy portsentry[116]: attackalert: Host:
++ resnet-47-9.dorm.utexas.edu/129.116.47.9 is already blocked Ignoring
++ Oct 17 22:28:48 belldandy portsentry[116]: attackalert: UDP scan from
++ host: resnet-47-9.dorm.utexas.edu/129.116.47.9 to UDP port: 631
++ Oct 17 22:28:48 belldandy portsentry[116]: attackalert: Host:
++ resnet-47-9.dorm.utexas.edu/129.116.47.9 is already blocked Ignoring
++ Oct 17 22:29:19 belldandy portsentry[116]: attackalert: UDP scan from
++ host: resnet-47-9.dorm.utexas.edu/129.116.47.9 to UDP port: 631
++ Oct 17 22:29:19 belldandy portsentry[116]: attackalert: Host:
++ resnet-47-9.dorm.utexas.edu/129.116.47.9 is already blocked Ignoring
++
++ The last time I saw this, it was caused by a box running a recent
++ version of Mandrake. However, for the life of me, I couldn't find
++ whatever process was causing it! Could someone tell me what is going on?
I wouldn't worry about it. The host resnet-47-9 is scanning that UDP port.
That's all. You can always report this to RESNET admins if it really
bothers you. (You can also configure portsentry to block hosts through the
routing table or ipchains/iptables/etc., but you *are* setting yourself up
for an easy DOS attack.) It's *really* dumb to portscan from .utexas.edu,
although I know that some subscribers to this list do. (UT has enormous
LARTs.)
--
Using TSO is like kicking a dead whale down the beach.
-- S. C. Johnson
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
