From owner-freebsd-security Wed May 2 12:30:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 0662E37B422 for ; Wed, 2 May 2001 12:30:54 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id f42JYHd24623; Wed, 2 May 2001 14:34:17 -0500 (CDT) Date: Wed, 2 May 2001 14:34:17 -0500 (CDT) From: Alex Charalabidis To: Cc: , Subject: Re: [GorrellCD@phdnswc.navy.mil: ] In-Reply-To: <20010501222316.B14264@cotdazr.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 May 2001, Everett F Batey wrote: > Dear FreeBSD Security Guru, > > I need some guidance. My employer with which I have had problems over > the past 5 years has suggested I (or my IP) am(/is) trying to attack > hisIP space on UPD 111, and sent me the below attached log file. > > > > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP Oddly enough, I got a virtually identical complaint today regarding traffic to a Dutch network we've never had transactions with before, apparently originating from an unassigned IP address that was briefly used by a Linux test machine on our network. I haven't had time to investigate myself but a colleague mentioned the possibility of something meant to confuse/overload IDS systems as a smokescreen for real attacks. -ac -- =================================================================== Alex Charalabidis Worldspice Technologies 5050 Poplar Ave. Memphis, TN, USA +1 901 432 6000 Opinions expressed are mine alone but may be yours for a small fee. =================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message