The 03.07.31 at 21:08, John wrote:
I counted 'one second' of these, and had 65 instances within one second. The *only* thing changing at each instance during the one second, was the DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all over again.
You were being probed, but only a small range of ports. Why they should be repeating the probe, I don't understand, computers do not change opinions easily (a no is a no). If you want to know what those ports are for, look at /etc/services.
So, what I'd like to ask of anyone who knows is... Starting with 'LEN' and going to 'URGP', what do each of those things mean (I think I understand the 'PROTO', heh)?
I think a good place would be Mr. Togan docs: |> Table 4. SuSEfirewall2 log explanations and |> The details of the header fields can be found in the RFC documents on |> TCP and IP rfc793, rfc791). Also, there is some documentation in /usr/share/doc/packages/SuSEfirewall2/*
Why would only the 'DPT' change, and why only that range?
They probe ports one by one to see which one, if any, responds (ie,it's open). Why that range, I don't know; perhaps it's used by some sharing software.
Is/was this a DDoS?
Denial of Service Attack? I don't think so, many more packets would be needed - till the bandwidth were all used.
Does this mean that SuSEFirewall2 was doing its job well?
Yes :-)
Thanks if anyone finds these questions worth any answers. The curiosity is killin' me. lol
Curiosity is the mother of invention, or something like that, they say. -- Cheers, Carlos Robinson