Excessive dropped connection attempts
Hi, after updating to 9.0 Prof. and refining my firewall setup, I noticed excessive dropped connection attempts to ascending ports from 4 hosts this sunday in my logs. Since this troubled me a little, I wrote a python script in order to analyse such circumstances and take countermeasures (reconnect to tdsl). Here's, what it found so far: 42775 dropped connections during Oct 28 04:24:06 and Nov 04 04:05:43 Host 217.255.167.30 : 13058 [30.5%] 30.167.255.217.in-addr.arpa domain name pointer pD9FFA71E.dip.t-dialin.net. TCP: 13058 attempts during Nov 01 19:38:50 and Nov 02 14:53:12 from DPT 64241 Host 217.236.138.232: 5029 [11.8%] 232.138.236.217.in-addr.arpa domain name pointer pD9EC8AE8.dip0.t-ipconnect.de. TCP: 5029 attempts during Nov 01 19:38:50 and Nov 02 04:24:14 from DPT 64241 Host 217.255.173.8 : 2259 [5.3%] 8.173.255.217.in-addr.arpa domain name pointer pD9FFAD08.dip.t-dialin.net. TCP: 2259 attempts during Nov 02 14:53:26 and Nov 02 18:13:17 from DPT 64241 Host 217.236.138.135: 1209 [2.8%] 135.138.236.217.in-addr.arpa domain name pointer pD9EC8A87.dip0.t-ipconnect.de. TCP: 1209 attempts during Nov 02 16:26:29 and Nov 02 18:13:08 from DPT 64241 53.370 lines processed in 1:04 min Note, that the dns lookups are done this evening. It appears, that all attempts origin from a single port: 64241 and that host1 lost its connection around 14:53:12, and restarted its scan at 14:53:26 as host3. I've reconnected dsl around 18:14. This qualifies as a dump, brute force, but nevertheless hostile attack, doesn't it? What would you do in such a case? Somebody, who tried to sue such an orginator, may listening here? Pete
participants (1)
-
Hans-Peter Jansen