Shorewall users - Mar 2003 - Off-topic: Increased probe activities?

Good day,

Sorry for the off-topic post. I don''t know a venue for this sort of 
discussion and it''s certain this group is knowledgable about the topic.
Over the past ten days or so the number of daily blocks at my firewall 
has increased from 2-3K to 7-10K, and the trend seems to be going up. 
Has anyone else seen this, and does anyone have any information about 
what''s happening?

Thanks,

David Mitchell
CDC Networks

Without knowing what ports/addresses are involved, it would be almost
impossible to attribute the increase to any specific cause...

Using a log parsing utility on the Shorewall entries in your syslog,
which destination ports and source addresses seem to be the most
increased?

John S.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of David
Mitchell
Sent: Sunday, March 09, 2003 9:42 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Off-topic: Increased probe activities?

Good day,

Sorry for the off-topic post. I don''t know a venue for this sort of 
discussion and it''s certain this group is knowledgable about the topic.
Over the past ten days or so the number of daily blocks at my firewall 
has increased from 2-3K to 7-10K, and the trend seems to be going up. 
Has anyone else seen this, and does anyone have any information about 
what''s happening?

Thanks,

David Mitchell
CDC Networks

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Sun, 9 Mar 2003, John Stroud wrote:
> Without knowing what ports/addresses are involved, it would be almost
> impossible to attribute the increase to any specific cause...
> 
> Using a log parsing utility on the Shorewall entries in your syslog,
> which destination ports and source addresses seem to be the most
> increased?
> 
> John S.
> 
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of David
> Mitchell
> Sent: Sunday, March 09, 2003 9:42 AM
> To: shorewall-users@lists.shorewall.net
> Subject: [Shorewall-users] Off-topic: Increased probe activities?
> 
> Good day,
> 
> Sorry for the off-topic post. I don''t know a venue for this sort
of
> discussion and it''s certain this group is knowledgable about the
topic.
> Over the past ten days or so the number of daily blocks at my firewall 
> has increased from 2-3K to 7-10K, and the trend seems to be going up. 
> Has anyone else seen this, and does anyone have any information about 
> what''s happening?
> 
> Thanks,
> 
> David Mitchell
> CDC Networks
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
I''ve seen the same things happening. 

Port 445 seems to be a popular target ;

Ad Koster
lidad@zeelandnet.nl

--On Sunday, March 09, 2003 09:42:02 AM -0800 David Mitchell 
<davidm@cdc.coop> wrote:
> Over the past ten days or so the number of daily blocks at my firewall
> has increased from 2-3K to 7-10K, and the trend seems to be going up. Has
> anyone else seen this, and does anyone have any information about
what''s
> happening?
No such increase here. This is about normal for me:

   HITS  PORT SERVICE(S)
   ---- ----- ----------
     12    80 http
     12    57
      9    21 ftp
      4    23 telnet
      3    25 smtp
      1  8080 webcache
      1    53 domain
      1 37852
      1  3128 squid
      1  1080 socks

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

One thing I should have mentioned, but didn''t due to a brain
malfunction, is the site http://www.dshield.org.  It''s a decent place
to
find what to expect on your firewall logs. After looking at it myself,
noticed the number of reported attacks on port 445 did indeed undergo a
recent increase, as well.  

I suppose I could dig further and find out to what that could be
attributed, but I''m basically lazy...

John S.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of David
Mitchell
Sent: Sunday, March 09, 2003 9:42 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Off-topic: Increased probe activities?

Good day,

Sorry for the off-topic post. I don''t know a venue for this sort of 
discussion and it''s certain this group is knowledgable about the topic.
Over the past ten days or so the number of daily blocks at my firewall 
has increased from 2-3K to 7-10K, and the trend seems to be going up. 
Has anyone else seen this, and does anyone have any information about 
what''s happening?

Thanks,

David Mitchell
CDC Networks

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

>From : http://news.ists.dartmouth.edu/todaysnews.html#internal9148
Security firm Kaspersky Labs has reported several infections related to the
new ''Randon'' network worm from Russia and the Netherlands.
Randon affects
machines running Windows 2000 and Windows XP; spreads via IRC channels and
local area networks; attempts to connects to victim computers via port 445;
and installs the ''Apher'' Trojan on infected systems. Randon
does not have a
destructive payload and it is unclear how much of a threat this new worm
poses. To protect their systems, users are encouraged to update their
anti-virus software, install a personal firewall or use long access
passwords.

http://net-security.org/virus_news.php?id=196

http://www.net-security.org/virus_item.php?id=4433

Mike

-----Original Message-----
From: John Stroud [mailto:bear@amberorder.com]
Sent: Sunday, March 09, 2003 1:58 PM
To: ''David Mitchell''; shorewall-users@lists.shorewall.net
Subject: RE: [Shorewall-users] Off-topic: Increased probe activities?


Without knowing what ports/addresses are involved, it would be almost
impossible to attribute the increase to any specific cause...

Using a log parsing utility on the Shorewall entries in your syslog,
which destination ports and source addresses seem to be the most
increased?

John S.

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of David
Mitchell
Sent: Sunday, March 09, 2003 9:42 AM
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Off-topic: Increased probe activities?

Good day,

Sorry for the off-topic post. I don''t know a venue for this sort of 
discussion and it''s certain this group is knowledgable about the topic.
Over the past ten days or so the number of daily blocks at my firewall 
has increased from 2-3K to 7-10K, and the trend seems to be going up. 
Has anyone else seen this, and does anyone have any information about 
what''s happening?

Thanks,

David Mitchell
CDC Networks

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm