RE: Intrusion Attempts
>From what you are posting, I cannot deduct you were attacked with accuracy.
It might be a peer to peer badly configured (or written) software, maybe
some network performance auditing tool trying to {ping/tcpping/udpping}
random IPs on the net (yeah, some really do that and attempt an icmp reply
to audit their network link.
Can you give us more details about what your logs say? Probably protocol,
{port/icmp type} would be good enough.
Are your logs various : several protocols, etc. Do you haver any other log
than firewall, maybe webserver, mailer, that can give you more information
of what the IP packets you received contain?
Were there any malformed headers? Did they use known protocols/attacks?
Usually, correlating firewall logs and network application logs can be very
useful.
If you would like to get more details about incoming suspicious traffic, I
advise you set up snort or prelude which let you see much more than just IP
headers level.
By the way, if you "only" got portscanned, get used to it. There will be
many others...
Hope this helps,
Vincent
> -----Original Message-----
> From: Trawets53@aol.com [mailto:Trawets53@aol.com]
> Sent: Wednesday 4 December 2002 03:21
> To: debian-security@lists.debian.org
> Subject: Intrusion Attempts
>
>
> Hi. Can you help me. Who do I report the above to. I have 2
> firewalls running
> and tonight I was attacked from the same address 172 times in
> less than an
> hour. These people want banning off the net. It is certainly
> a violation of
> my privacy. A dozen times is an excuse but 172, I ask you.
> Please come back.
>
> Kindest Regards Stewart.
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
Reply to: