Mailinglist Archive: opensuse (2731 mails)

["Carlos E. R." <robin1.listas@xxxxxxxxxx>]

The 03.07.31 at 21:08, John wrote:

>   I counted 'one second' of these, and had 65 instances within one second.
>   The *only* thing changing at each instance during the one second, was the
> DPT , which seemed to start at 1024 and go up to 1054, then start at 1024 all
> over again.

You were being probed, but only a small range of ports. Why they should be
repeating the probe, I don't understand, computers do not change opinions
easily (a no is a no).

If you want to know what those ports are for, look at /etc/services.

>   So, what I'd like to ask of anyone who knows is...
>   Starting with 'LEN' and going to 'URGP', what do each of those things mean
> (I think I understand the 'PROTO', heh)?

I think a good place would be Mr. Togan docs:

|> Table 4. SuSEfirewall2 log explanations
and
|> The details of the header fields can be found in the RFC documents on
|> TCP and IP rfc793, rfc791).

Also, there is some documentation in
/usr/share/doc/packages/SuSEfirewall2/*

>   Why would only the 'DPT' change, and why only that range?

They probe ports one by one to see which one, if any, responds (ie,it's
open). Why that range, I don't know; perhaps it's used by some sharing
software.

>   Is/was this a DDoS?

Denial of Service Attack? I don't think so, many more packets would be
needed - till the bandwidth were all used.

> Does this mean that SuSEFirewall2 was doing its job well?

Yes :-)

>   Thanks if anyone finds these questions worth any answers. The curiosity is
> killin' me. lol

Curiosity is the mother of invention, or something like that, they say.

-- 
Cheers,
       Carlos Robinson