Several times in the last weeks I have had to explain carefully how the UDP traffic with rising destination port numbers was valid, requested traffic and not a 'DoS portscan' in reply to incoming abuse complaints.
The logfiles in the complaints look like:
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4065 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4066 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4067 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4067 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4068 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4069 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4070 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4071 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4072 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4073 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4074 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4074 PR udp len 20 76
Yes, that is an rfc1918 address behind a NAT device, so the NAT device
is aware of a previous incoming mapping.
It is logged as 'portscan' and therefore people go on red alert.
Other pool members have probably had to explain the same .. or are
working on getting their connection back to work wondering what happened.
Does anybody have any idea which device does this? From searching on the
term 'DoS portscan' my best guess is a vigor router.
Koos van den Hout
--
Koos van den Hout PGP keyid 0x27513781 The Virtual Bookcase
Mail [EMAIL PROTECTED] Use PGP when possible Book
reviews,
Phone +31-30-2534104 book news
Fax +31-30-2513791 http://www.virtualbookcase.com/
pgp7EXp8ngroK.pgp
Description: PGP signature
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
