Date: Tue, 03 Nov 1998 11:23:34 +0300 From: Alla Bezroutchko <alla@sovlink.ru> To: security@FreeBSD.ORG Subject: Is it an attack? Strange things logged by ipfw. Message-ID: <363EBD86.74C9F6E2@sovlink.ru>
next in thread | raw e-mail | index | archive | help
I have an ipfw-based firewall and noticed a peculiar connections in its logs. Maybe this is some new kind of attack? Any comments appreciated. Here are the logs: Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 aaa.aaa.aaa.aaa:1333 in via ex0 Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 aaa.aaa.aaa.aaa:1565 in via ex0 Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 aaa.aaa.aaa.aaa:1725 in via ex0 Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 aaa.aaa.aaa.aaa:2349 in via ex0 Oct 20 09:22:35 buddy /kernel: ipfw: 65534 Deny TCP q.r.s.t:50818 aaa.aaa.aaa.aaa:1493 in via ex0 Oct 19 04:35:01 buddy /kernel: ipfw: 65534 Deny TCP u.v.w.x:50818 aaa.aaa.aaa.aaa:2465 in via ex0 aaa.aaa.aaa.aaa is an IP-address from my subnet that wasn't assigned to any host at the time this logs span. We have DHCP, so there may have been a machine that had this IP once, but now it is free. a.b.c.d - u.v.w.x are various hosts from all over the net, all different. Some university machines, some belong to businesses. Routing is blocked on the firewall so these packets are probably not replies to anything (especially because there is no such host - aaa.aaa.aaa.aaa). I have no address translation. What stumbles me is why they all use the same source port. Searched yahoo for it, didn't find anything. Thanks, Alla. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?363EBD86.74C9F6E2>