Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1717 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Land Attack, Portscan and others

eclipse79oldacct
Hello,
today I'm under attack, I have a lot of entries in log files about Land Attack and Portscan (this last is coming from our Guest Interface). In the case of LAND, the source and the destination addresses seems to be the same (my public ip address), so is difficult to understand the real origin, but consider that must be one of my co-workers because the LAND starts at 9 and stops at 18 (our working hours). What can I do to discover the real attacker? 

2010:09:23-16:12:18 firewall snort[5524]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="242" srcip="6MY PUBLIC IP ADDRESS" dstip="6MY PUBLIC IP ADDRESS" proto="6" srcport="8080" dstport="58943" sid="200012" class="" priority="0"  generator="1" msgid="0"

2010:09:23-14:02:58 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="68" dstport="67" 

2010:09:23-14:02:59 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351" 

2010:09:23-14:02:59 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351" 

2010:09:23-14:03:01 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="81.110.248.166" proto="17" length="50" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="20031" 

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351" 

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="81.104.10.175" proto="17" length="56" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="17090" 

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="88.107.127.33" proto="17" length="55" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="4202" 

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="GUEST DEFAULT GATEWAY" proto="17" length="40" tos="0x00" prec="0x00" ttl="128" srcport="56386" dstport="5351" 

2010:09:23-14:03:02 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="86.3.13.23" proto="17" length="50" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="11512" 

2010:09:23-14:03:03 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth5" outitf="eth1" dstmac="00:1a:8c:15:e2:4d" srcmac="78:e4:00:22:71:be" srcip="GUEST IP ADDRESS" dstip="86.8.237.227" proto="17" length="58" tos="0x00" prec="0x00" ttl="127" srcport="16372" dstport="40912"


This thread was automatically locked due to age.
Parents Reply Children
No Data