Re: [time] It's not an ntp pool server, it is a 'DoS portscan' attack

Mon, 24 Nov 2008 03:09:02 -0800 

I had similar 
issues(http://fortytwo.ch/mailman/pipermail/timekeepers/2005/001633.html). It 
was caused by sonicwall firewalls in every case I was able to get the admin to 
respond.
Thanks,
Will
________________________________________
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Koos van den Hout [EMAIL 
PROTECTED]
Sent: Monday, November 24, 2008 6:02 AM
To: [email protected]
Subject: [time] It's not an ntp pool server, it is a 'DoS portscan' attack

Several times in the last weeks I have had to explain carefully
how the UDP traffic with rising destination port numbers was valid,
requested traffic and not a 'DoS portscan' in reply to incoming abuse
complaints.

The logfiles in the complaints look like:

> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4065 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4066 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4067 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4067 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4068 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4069 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4070 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4071 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4072 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4073 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4074 PR udp len 20 76
> DoS portscan 131.211.84.189,123 -> 192.168.1.104,-224-4074 PR udp len 20 76

Yes, that is an rfc1918 address behind a NAT device, so the NAT device
is aware of a previous incoming mapping.

It is logged as 'portscan' and therefore people go on red alert.

Other pool members have probably had to explain the same .. or are
working on getting their connection back to work wondering what happened.

Does anybody have any idea which device does this? From searching on the
term 'DoS portscan' my best guess is a vigor router.

                                              Koos van den Hout

--
Koos van den Hout          PGP keyid 0x27513781           The Virtual Bookcase
Mail  [EMAIL PROTECTED]        Use PGP when possible                 Book 
reviews,
Phone +31-30-2534104                                                 book news
Fax   +31-30-2513791                           http://www.virtualbookcase.com/
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers

Reply via email to