[TriLUG] are these port scanners?

Joseph Mack NA3T jmack at wm7d.net
Sun May 13 10:31:43 EDT 2012


Now that I've written my own firewall rules, I LOG all 
dropped packets and looking at them to see if there's 
anything interesting. I'm being overwhelmed by dropped 
packets and there's not much hope of me seeing anything I 
should take notice of (like a persistent machine attempting 
to penetrate). I'm getting packets like these from a high 
port to a high port about every 2 secs.

May 13 14:19:21 routera kernel: firewall logdrop: IN=eth2 OUT= MAC=00:a0:24:5e:0b:7d:00:90:1a:41:1b:55:08:00 SRC=190.135.50.221 DST=50.55.129.200 LEN=58 TOS=0x00 PREC=0x00 TTL=49 ID=23 PROTO=UDP SPT=39114 DPT=47518 LEN=38

Most often the SRC host doesn't resolve to a hostname. This 
packet above, from Uraguay, does.

root at routera:/var/log# host 190.135.50.221
221.50.135.190.in-addr.arpa domain name pointer r190-135-50-221.dialup.adsl.anteldata.net.uy.

As these machines just scanning all my high ports? Why? Just 
to see if they get a reply?

Joe
-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!



More information about the TriLUG mailing list