[Snort-users] portscans from 255.255.255.255?

Gary Flynn flynngn at ...6811...
Thu Jan 30 13:21:02 EST 2003


twig les wrote:
> Hey all, I have seriously debated whether I should
> send this since it may or may not be off-topic; it's
> just too bizarre to tell.  My border routers are
> sysloging this:
> 
> bdr-acl-in denied tcp 255.255.255.255(80) ->
> 1.1.156.194(8118)

They started here regularly on Jan 29 around 1500 EST.
Someone in Poland recently posted to the Incidents list
that they saw it start up on the same day.

They're coming in every few seconds. Different hosts and high
ports. Varying TTL and ACL numbers.

I haven't found anything here going out that would cause
it.


01/30-14:57:54.393807 255.255.255.255:80 -> InternalAddress:18128
TCP TTL:236 TOS:0x0 ID:24721 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x67E40001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


01/30-14:57:54.576724 255.255.255.255:80 -> InternalAddress:29922
TCP TTL:238 TOS:0x0 ID:21195 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x4DAB0001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:58:13.453737 255.255.255.255:80 -> InternalAddress:8685
TCP TTL:47 TOS:0x0 ID:27062 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x501A0015  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

01/30-14:58:19.938537 255.255.255.255:80 -> InternalAddress:28599
TCP TTL:239 TOS:0x0 ID:13989 IpLen:20 DgmLen:40
***A*R** Seq: 0x0  Ack: 0x51510001  Win: 0x0  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe





More information about the Snort-users mailing list