Massive scaning?

Łukasz Hejnak szift at szift.org
Wed Feb 1 01:15:08 PST 2006


Hi

First of, sorry for my english, I'm trying my best :]

Did anyone get a massive number of unknown connections lately?
I mean I run this system of mine that does hourly stats on everything on 
the server (hlips.org) and yesterday it counted around 4 to 6 thousands 
connection tries per hour (originating from 150 to 400 hosts). My normal 
stat is around 1k or 2k so that was weird. And then around midnight the 
count suddenly got to 11k from around 1k different hosts!
Most of the connections were either udp to 1024 or icmp type 3 scans
also high ports (56596 was kind of popular)
I don't know what to think about it, since after that last 'wave' the 
count got down to 0-5 conns per hour and it's stil that way.

I rebooted the machine as I suspected some configuration modifications 
(though aide didn't notice any config files changed) but nothing changed.

One day to the other from ~1k connections per hour I got down to ~3
I just don't understand it and hope anyone can tell me what's going on.

I have tarpitting enabled and I use ipt_recent (ip's caught are not 
logged until their penalty time is up) and there's around 70 ip's on the 
list as I write, but that's just kind of normal here.

-- 
Best Regards
Lukasz 'Szift' Hejnak



More information about the lfs-security mailing list