View Single Post
  #1 (permalink)  
Old November 21st, 2001
jblanchard jblanchard is offline
Novicius
 
Join Date: November 21st, 2001
Posts: 2
jblanchard is flying high
Question Odd DOS type of activity

Just an FYI to the folks here. On Monday, Nov 20th we observed a ton of attempts by several hundred nodes outside of our Network to access port 6346. This of course was stopped by our Firewall, but if other ISPs/Networks saw this traffic they may attempt to contact the xolox makers, or worse block that port. In looking at the syslogs they read as follows:
Nov 20 10:57:54 pix Nov 20 2001 11:56:55: %PIX-3-106010: Deny inbound tcp src outside:xxx.xxx.219.29/45664 dst inside:xxx.xxx.xxx.xxx/6346
Nov 20 10:57:54 pix Nov 20 2001 11:56:55: %PIX-3-106010: Deny inbound tcp src outside:xx.xxx.95.182/31198 dst inside:xxx.xxx.xxx.xxx/6346

(ips hidden to protect the innocent)
Now at first I saw this as an attack or flaw with perhaps the Hostslist (maybe?) but after running the program and watching the firewall, the pattern which the hosts use were much different. Example, the outside nodes were using port 2486 (and other low numbered ones) to port 6346 on my box, but all seemed to use lower ports then the ones seen on Monday (versus 45000). So there might be someone out there spoofing this traffic in an attempt to get that port ACL'd by providers? Don't know but thought it was worth mentioning. Perhaps some exploit??? I can send the syslogs if interested.


Take Care
Joe
Reply With Quote