UDP scans from AOL NS boxes?

From: Mike Mills <mmills(at)dpwt.com>
Date: Thu Apr 03 2003 - 12:27:07 EST

('binary' encoding is not supported, stored as-is)

The machines listed below have been running UDP scans against our firewall for some time. The scans really picked up on March 18th, but never got more than 20 a day or so. These scans are apparently on random UDP ports, and from randomly selected machines in the list below. If anyone is interested, I have all of the events this year in a spreadsheet.

They are nearly unnoticeable when displayed by date and time, but become apparent when sorted by source IP.

Has anyone else experienced scans like this from these boxes?

I spoke to AOL, and they confirmed my beliefs and said that indeed people were bouncing off their servers looking for trojaned UDP ports.

1. They are aware of it and we aren't the only one's who contacted them about it.
2. They know that they can easily stop the behavior, but they won't pursue the issue unless we have suffered some kind of loss.

152.163.159.225	rtc-ext1.ns.aol.com
152.163.159.226	rtc-ext2.ns.aol.com
152.163.159.227	rtc-ext3.ns.aol.com
152.163.159.228	rtc-ext4.ns.aol.com
152.163.159.229	rtc-ext5.ns.aol.com
152.163.159.230	rtc-ext6.ns.aol.com
205.188.157.225	dtc-ext1.ns.aol.com
205.188.157.226	dtc-ext2.ns.aol.com
205.188.157.227	dtc-ext3.ns.aol.com
205.188.157.228	dtc-ext4.ns.aol.com
205.188.157.230	dtc-ext6.ns.aol.com
64.12.51.129	mtc-ext1.ns.aol.com
64.12.51.130	mtc-ext2.ns.aol.com
64.12.51.141	mtc-ext3.ns.aol.com
64.12.51.142	mtc-ext4.ns.aol.com
64.12.51.143	mtc-ext5.ns.aol.com
64.12.51.144	mtc-ext6.ns.aol.com

----------------------------------------------------------------------------

Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents Received on Thu Apr 3 19:45:50 2003