Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Excessive dropped connection attempts
  • From: Hans-Peter Jansen <hpj@xxxxxxxxx>
  • Date: Tue, 4 Nov 2003 23:22:58 +0100
  • Message-id: <200311042322.58338.hpj@xxxxxxxxx>
Hi,

after updating to 9.0 Prof. and refining my firewall setup, I
noticed excessive dropped connection attempts to ascending ports
from 4 hosts this sunday in my logs.

Since this troubled me a little, I wrote a python script in order
to analyse such circumstances and take countermeasures (reconnect
to tdsl). Here's, what it found so far:

42775 dropped connections during Oct 28 04:24:06 and Nov 04 04:05:43
Host 217.255.167.30 : 13058 [30.5%]
30.167.255.217.in-addr.arpa domain name pointer pD9FFA71E.dip.t-dialin.net.
TCP: 13058 attempts during Nov 01 19:38:50 and Nov 02 14:53:12 from DPT 64241

Host 217.236.138.232: 5029 [11.8%]
232.138.236.217.in-addr.arpa domain name pointer pD9EC8AE8.dip0.t-ipconnect.de.
TCP: 5029 attempts during Nov 01 19:38:50 and Nov 02 04:24:14 from DPT 64241

Host 217.255.173.8 : 2259 [5.3%]
8.173.255.217.in-addr.arpa domain name pointer pD9FFAD08.dip.t-dialin.net.
TCP: 2259 attempts during Nov 02 14:53:26 and Nov 02 18:13:17 from DPT 64241

Host 217.236.138.135: 1209 [2.8%]
135.138.236.217.in-addr.arpa domain name pointer pD9EC8A87.dip0.t-ipconnect.de.
TCP: 1209 attempts during Nov 02 16:26:29 and Nov 02 18:13:08 from DPT 64241

53.370 lines processed in 1:04 min

Note, that the dns lookups are done this evening.

It appears, that all attempts origin from a single port: 64241
and that host1 lost its connection around 14:53:12, and restarted
its scan at 14:53:26 as host3. I've reconnected dsl around 18:14.

This qualifies as a dump, brute force, but nevertheless hostile
attack, doesn't it?

What would you do in such a case?

Somebody, who tried to sue such an orginator, may listening here?

Pete


< Previous Next >
This Thread
  • No further messages