szift at szift.org
Wed Feb 1 01:15:08 PST 2006
First of, sorry for my english, I'm trying my best :]
Did anyone get a massive number of unknown connections lately?
I mean I run this system of mine that does hourly stats on everything on
the server (hlips.org) and yesterday it counted around 4 to 6 thousands
connection tries per hour (originating from 150 to 400 hosts). My normal
stat is around 1k or 2k so that was weird. And then around midnight the
count suddenly got to 11k from around 1k different hosts!
Most of the connections were either udp to 1024 or icmp type 3 scans
also high ports (56596 was kind of popular)
I don't know what to think about it, since after that last 'wave' the
count got down to 0-5 conns per hour and it's stil that way.
I rebooted the machine as I suspected some configuration modifications
(though aide didn't notice any config files changed) but nothing changed.
One day to the other from ~1k connections per hour I got down to ~3
I just don't understand it and hope anyone can tell me what's going on.
I have tarpitting enabled and I use ipt_recent (ip's caught are not
logged until their penalty time is up) and there's around 70 ip's on the
list as I write, but that's just kind of normal here.
Lukasz 'Szift' Hejnak
More information about the lfs-security