[NCLUG] poking port 109
Frank Whiteley
techzone at greeleynet.com
Sun Dec 2 12:02:39 MST 2001
> hey folks,
>
> starting yesterday morning, i've received a packet about every twenty
> minutes checking out port 109 on incrementing ip's. ie, the first packet
hit
> .1 and about twenty minutes later one came in for .2 and then twenty
minutes
> later, .3 and so on. they're all coming from the same ip address.
>
> it's up around .83 right now.
>
> i block these at my border router, so i really don't care, but this one
has
> intrigued me. i've never really watched one this slow and deliberate
before.
> usually, a couple packets for a couple different ip's come in all at the
> same time and then i never hear from that scanner again. have i just not
> been paying attention enough before, and this is common?
>
> what would y'all do if you saw this on your own network?
>
> there's so much scanning going on these days that i don't even complain
to
> upstreams anymore. do y'all? usually, i just deny the packets at the
router
> and not even log them.
>
When I was doing a paper for a networking class, I found an interesting site
in Israel that was run by a geek in Moscow. Although it was ostensibly
about network security, it read more like a cracking cookbook. He had a
reference that said those who are being 'really serious' might send only
one packet every two weeks to avoid detection thresholds. Sounds like
someone's trying harder than the usual cracker.
Frank Whiteley
More information about the NCLUG
mailing list