Re: increased attacks on port 2599

On Sat, Nov 23, 2002 at 05:41:12PM -0500, Esler, Joel -- Sytex Contractor wrote:
> well I don't have whole captures of the packets.
In case of SYN packets payload isn't important. Those SYN packets were the first step in three-way handshake. Of course, even if it was a part of - for example - SYN scan and a full connection was never meant to be done it still isn't "an attack".

> But something was trying
OK, I understand you're just curious, but IMHO being interested in all SYN packets your server has respond to it's too paranoic approach. Nowadays nets are full of various robots, worms, automated tools and crawlers that are searching for data, informations valuable in bussines, statistics and so on.
Also people are making mistakes leaving their misconfigured applications running all night, maybe it's just some enthusiast of networking that is testing his software, and he typed some random IP, and it was yours IP.
It's important to trace new blackhat trends and new worms (or just bugs used by them), but, to do that you need to react on "incidents" like this by starting servers on ports someone's trying to connect to (then you need to recognize protocol used, and play with it, but it costs. It costs a lot of work and time). Co, IMHO, currently we can say, that what you've observed it wasn't attack. It was to early to confirm about a probe of intrusion.

Bye :)

-- 
[ ] gminick (at) underground.org.pl  
http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com