[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] attackalert UDP port: 67 question
- Subject: Re: [cobalt-users] attackalert UDP port: 67 question
- From: Jason Woods <jwoods@xxxxxxxxxxxxxxx>
- Date: Thu Apr 5 09:44:21 2001
- Organization: Oakland Corporation
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Mark Roebuck wrote:
>
> I have been getting the following in my logs for the last 19hrs:
>
> Apr 3 13:16:41 www portsentry[796]: attackalert: Connect from host:
> 194.88.88.5/194.88.88.5 to UDP port: 67
> Apr 3 13:16:41 www portsentry[796]: attackalert: Host: 194.88.88.5 is
> already blocked. Ignoring
> Apr 3 13:16:46 www portsentry[796]: attackalert: Connect from host:
> 194.88.88.5/194.88.88.5 to UDP port: 67
> Apr 3 13:16:46 www portsentry[796]: attackalert: Host: 194.88.88.5 is
> already blocked. Ignoring
> Apr 3 13:16:54 www portsentry[796]: attackalert: Connect from host:
> 194.88.88.5/194.88.88.5 to UDP port: 67
> Apr 3 13:16:54 www portsentry[796]: attackalert: Host: 194.88.88.5 is
> already blocked. Ignoring
>
UDP can be forged. But I don't think this is the case here.
> The same lines are now repeated thousands of times.
>
> When I contacted the owners of the server at 194.88.88.5 they informed me
> that it is a windows nt server and they have no idea what is going on.
>
> According to a document on the web udp port 67 is bootps - Bootstrap
> Protocol Server.
>
> Any ideas what I should do?
>
> Thanks
>
> Mark Roebuck
Do you have anything on the same network that might be trying to acquire
an IP address, like a HP JetDirect printer? Whatever it is, it is
pretty persistent, trying every 5 seconds.
Also, how are you having portsentry handle scans? This appears to be a
raq, and I know the Raq3i doesn't come with ipchains.
--
Jason Woods
Oakland Corporation
IT Director
Email: jwoods@xxxxxxxxxxxxxxx