[nsp-sec] tcp/23 increase
Borja Marcos
BORJAMAR at SARENET.ES
Fri Jan 15 05:08:55 EST 2010
On 14 Jan 2010, at 10:19, Torbjorn.Wictorin at cert.sunet.se wrote:
> ----------- nsp-security Confidential --------
>
> Hello,
>
> not any extreme amount of 23-flows here. But 213.143.229.25 has visited us several times: 2008-12-19, 2008-12-26, 2009-12-26, 2010-01-13, so maybe he/she is ready with Sunet.
Same here, I saw it scanning some of our dark space.
Jan 12th:
21:24:09.527606 IP 213.143.229.25.38033 > 194.30.37.243.23: S 1676892062:1676892062(0) win 49640 <mss 1460,nop,nop,sackOK>
etc etc.
On Jan 11th I got a couple of hits from 79.111.12.66
19:16:04.057052 IP (tos 0x0, ttl 31, id 17127, offset 0, flags [DF], proto: TCP (6), length: 64) 79.111.12.66.2214 > 212.81.249.41.23: S, cksum 0x1406 (correct), 1951377954:1951377954(0) win 53760 <mss 1360,nop,wscale 3,nop,nop,timestamp 0 0,nop,nop,sackOK>
19:16:07.019439 IP (tos 0x0, ttl 31, id 19292, offset 0, flags [DF], proto: TCP (6), length: 64) 79.111.12.66.2214 > 212.81.249.41.23: S, cksum 0x1406 (correct), 1951377954:1951377954(0) win 53760 <mss 1360,nop,wscale 3,nop,nop,timestamp 0 0,nop,nop,sackOK>
But nothing else, and it was so few packets it got through the Netflow sampling.
Borja.
More information about the nsp-security
mailing list