Port Scan Attack (is it really?)
- From: <g.sartzetakis@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 25 Oct 2002 11:14:13 +0300
Hello all,
my IP Packet filter logs are being filled up with records of the kind ..
2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.52.1 Tcp 139 1921 ACK
BLOCKED ...
2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.110.1 Tcp 139 1922 ACK
BLOCKED ...
2002-10-25 07:06:12 xxx.xxx.xxx.xxx AAA..AAA..AAA.AAA Udp 1027 137 -
BLOCKED ...
2002-10-25 07:06:13 xxx.xxx.xxx.xxx BBB.BBB.BBB.BBB Udp 1027 137 -
BLOCKED ...
where AAA.AAA.AAA.AAA and BBB.BBB.BBB.BBB are the IP's of ISA on the
external interface and xxx.xxx.xxx.xxx various IP's from the outside
world
Also, the internal IP's shown above do not exist in my organization nor
are part of the ISA LAT conffiguration.
All these are being reported by ISA as all port scan attacks or
well-known port scan attacks. Is it really so or am I missing something
? (.. does it have anything to do with the NetBIOS settings configured
on ISA?)
Thanks in advance.
George E. Sartzetakis
Information Systems Engineer
Interworks Ltd.
60 Vrilissou Str., Athens 114 76
Tel.: +30 10 6400437, +30 10 6456596
Fax: +30 10 6471048
URL: <http://www.interworks.gr/> http://www.interworks.gr
Email: <mailto:g.sartzetakis@xxxxxxxxxxxxx> g.sartzetakis@xxxxxxxxxxxxx
Other related posts:
