This person was a fellow customer of my ISP (judging from the IP address). This nonsense went on for hours until I got tired of it and asked several friends with very large bandwidth to "convince" this person to go offline.
What on Earth were they trying to do here?

-{ Quote: "1,[05/Aug/2002 00:13:40] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4862]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:13:43] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4862]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:13:49] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4862]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:01] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4869]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:04] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4869]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:10] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4869]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:23] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4870]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:26] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4870]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:32] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4870]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:44] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4871]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:47] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4871]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:14:53] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4871]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:15:06] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4874]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:15:09] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4874]->localhost:5103, Owner: no owner
1,[05/Aug/2002 00:15:19] Rule 'Packet to unopened port received': Blocked: In TCP, (null) [68.16.40.248:4874]->localhost:5103, Owner: no owner
" }-

Maybe a kid playing with SuperScan?

Or, if it was directed at you, maybe one of your neighbors doesn't like you (or whoever it was)?

Complaints to the ISP involved, including logfiles, would probably actually work in this instance, since the behavior was so sustained. Pete

If complaints to your ISP fail to resolve it, ask the guy his hat size.

Well, considering how we "convinced" him right offline ........

*cough* *cough*

He did it twice actually now that I think of it. He went offline after doing it for hours, then 30 minutes or so later another IP (also at my ISP) started the same s**t, so we "convinced" him he should be offline again.
I'm just wondering what the heck he was trying to do.

That's funny. I just put that addy. into Karen's URL Discombobulator and it came back with this: 0.0.18.254

?

Pete

Also, I'm getting 'no such host' and similar messages on SamSpade using the original addy.

Got any spooks living in your 'hood? Black vans parked in front of your house? Pete

It pings, though.

-{ Quote: " quoting: spy1 link=board=23;threadid=2827;start=0#19126 date=1028562912]
Also, I'm getting 'no such host' and similar messages on SamSpade using the original addy.

Got any spooks living in your 'hood? Black vans parked in front of your house? Pete
" }-

* Mike goes to poke at the bush that's sprouted up in the backyard since yesterday .......

;D Yeah, it pings. NeoTrace is doing a better job. You're in Atlanta, huh?

(Note: SamSpade worked much better when i dropped the last four numbers, too! <g> ). Pete

Hey Mike,

TCP Null packets contain a sequence but no flags - illegal in fact. Attackers could create crafted packets with flase IP addresess (IP Spoofing), making them hard(er) to track down. In that case, a trace back might lead to an innocent third party.

The TPC Null packet is commonly used to identify listening TCP ports. There are DDoS tools around using Null, like Trinity (aka MyServer or Plague) - listening to TCP 33270, when idle connecting to IRC server on 6667.

Seems like someone is trying to give you a hard time (IP spoofed or not), possibly trying to DDoS you.

Looks like Kerio(?) is handling it well though ;).

Take care.

paul

Nope. Collins.
http://www.google.com/url?sa=X&oi=map&q=http://www.mapquest.com/maps/map.adp%3Fcountry%3DUS%26address%3D%26city%3DCollins%26state%3DGA

Interesting. Last week, someone with an IP that traced back to yahoo.com kept probing at ports 5000 and 5001.

-{ Quote: "1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
" }-

My IP changes when I go online just like any other dialup customer, so they're not after me. Think this is someone scanning the whole netblock? Sort of hard to believe someone has the bandwidth to scan the whole block continuously for hours like that.

-{ Quote: "My IP changes when I go online just like any other dialup customer" }-

ahh..didn't know that.

-{ Quote: "so they're not after me. Think this is someone scanning the whole netblock?" }-

Seems like it.

-{ Quote: "Sort of hard to believe someone has the bandwidth to scan the whole block continuously for hours like that." }-

Could be part of the block. Bandwidth does not have to be a problem.

regards.

paul

Mike - If the bush checked out okay, look to the sky - them pesky reptilian aliens could be up to something again...

-{ Quote: " quoting: spy1 link=board=23;threadid=2827;start=0#19134 date=1028565043]
Mike - If the bush checked out okay, look to the sky - them pesky reptilian aliens could be up to something again...
" }-
We are watching you for your own good, Peteling. Do not complain about the new growth in your garden either - it is home to those who seek to administer your planet wisely. It is the bush administration.

Mike

Beginning Friday an lasting until the a.m hours of Monday......I notice a trememdous amount of "traffic"....in fact, for the first time ever I reported a sub-seven attack to my ip.....from a person also using my ip......requesting only that the person be contacted and advised that his/her machine may be compromised.......(the person's machine did not even have a firewall)
it would appears to me that there were massive DOOS attacks going on over the weekend........its now Monday afternoon my area........an the net is very quiet

snowman

Mike

by the way...have you noticed any unusual amount of "internet broadcast" on upd port 68.......its supposedly coming from "assigned numbers "

snowman

One time a figment of my imagination came down outta the sky n gave me a chicklet.

Detox

naw....that was just an egg hatching....dropped from the earthship chickenlittle

-{ Quote: " quoting: Checkout link=board=23;threadid=2827;start=0#19142 date=1028575802] . . . .We are watching you for your own good, Peteling. Do not complain about the new growth in your garden either - it is home to those who seek to administer your planet wisely. It is the bush administration." }-
Oh, that's what (who) it is! I feel much better (or is it worse?). Now, you've reminded me to re-read "1984", while I can still get my hands on a copy.

Paul, I was looking at the timing in the two logs and in the first one to me it looks more like a concerted effort to probe a bunch of ports looking for an opening. With 3+ second intervals, its not much of a Dos attack.
On the second log, although there are not many entries to look at, it looks like that could be an attempted DoS.
I am not that familiar with some of this and I don't know if someone would be taking the time and effort to spoof and run null scans on Mike, unless he really got to somebody.
Also that second log showing port 5000 could be some moron guessing that he had XP and had not secured port 5000 properly.
If I'm not mistaken, spoofing takes some smarts and some time to pull off. All in all, interesting to say the least. :)
Nice to know you have friends that can help out in a pinch, Mike.

No, nothing on port 68 that I can think of.

root, here's some more of that log so you can see what I was dealing with that night. There's so much that I didn't want to flood out the thread.
-{ Quote: "1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:13] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:14] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:14] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:14] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:14] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:14] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
1,[29/Jul/2002 00:55:17] Rule 'Packet to unopened port received': Blocked: In UDP, (null) [66.218.70.35:5000]->localhost:5000, Owner: no owner
" }-

Mike

the 66.218.*** is that the url thats was involded??
Thats assigned to a <yahoo> account. if thats not you....??

snowman

Yeah, that's what was so weird about it. I couldn't figure why on Earth someone at yahoo was hammering at my firewall like that. I sent an abuse email to abuse@ and netblockadmin@ yahoo.com and CCed to my ISP. The ISP looked at their logs and said they'd see what they could find out. Haven't heard back about it.

Mike

not really so strange...<yahoo> is now an internet service provider.....one of its "customers" perhaps? an somehow got hold of your address?
the udp is what I find interesting because I also was being hammered......but didn't notice it except my cpu was running at full blast like the swap files had lost comtrol.....
By dis-connecting and stoping all outbound then I got an alert that an Internet Broadcast (udp port68) was prevented.........in fact its happening right now!.....I realize the need for the assigned numbers part...but this is highly unusual.....enormous traffic!!

snowman

Hi Mike: The domain name for IP 66.218.70.35: is v4.vc.scd.yahoo.com on the following server:

P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Last-Modified: Fri, 03 May 2002 17:36:15 GMT
ETag: "4b536-dca-3cd2ca8f"

It is Yahoo Voice Chat:
Excerpt: http://vc.yahoo.com:5001/ Info For Network Administrators:

“Yahoo! Voice Chat uses the Real-time Transport Protocol (RTP, described in RFC 1889) for communication between users' computers and the Yahoo! voice servers. A firewall must allow a user's computer to make outgoing TCP connections to ports 5000 and 5001 on our servers. The servers will always attempt to use UDP for voice data, but will use TCP if UDP is blocked (your firewall may log the blocked UDP packets).
Current list of Yahoo! Voice Chat servers (subject to change): “

Hope this helps.

Good work Rickster. Now the question, how does someone get a yahoo voice chat server to attack someone? That is certainly more than the regular connection attempts you would expect to see. Those are comming in milliseconds, unless I'm reading the datetime wrong. Also, null packets?
Mike, Yahoo should certainly own up to this as they know good and well about UDP and port 5000.

Maybe they are just practicing for tonight.

Heightened Awareness Warranted on August 5-6, 2002 by U.S. Website and ISP Administrators


http://www.dslreports.com/forum/remark,4050805~root=security,1~mode=flat
(http://www.dslreports.com/forum/remark,4050805~root=security,1~mode=flat)

MIKE....and All

Should read:::


http://www.pgp.com/research/covert/advisories/045.asp