On Tue, 2004-08-03 at 10:21, Paul Schmehl wrote: > That's interesting. The address being targeted here was *also* a firewall > PAT address. I'm starting to wonder if this is some sort of a recon tool > to get past firewalls. That would explain why they're using port 53 > (normally open) and udp (stateless). If they get any kind of response at > all, they've identified a live host. I'm not sure it qualifies as a recon as it only hits the firewall address, no other address. It seems to know the exact address. It appears to be triggered by something that originates from our networks, but I wasn't able to capture anything. It may be as old as a bounce email a month ago, or access to a web site a month ago. The dump supplied was filtered on that one address over most of the night. As you can see there are no packets going to that address and provoking this traffic as a response. Considering the thing on my end started last week, it seems plausible that the trigger occurred around that time, or even earlier (as there were one or two probes over a month ago). Also worth noting is that this is on a single address within the main two class C's. This client also has other networks connected to the Internet which carry local traffic, and these do not receive these probes. The vast majority (of this large shop) goes through the redundant class C's. So the trigger appears to be rather rare and not wide spread. Also noteworthy is the fact that this client is pretty clean when it comes to viruses, so I'm ruling that out as a trigger as well. But something had to have happened as it is so targeted.... hopefully through correlation we can shed some light on this. Later, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part