UDP Port Scan Detected

Default User xyzzyx at sbcglobal.net
Mon Feb 25 22:48:15 UTC 2008


Hello! 
My home broadband LAN internet access uses dynamic IP addresses, changed
periodically by the ISP (can of course also be changed manually by
resetting the modem).  The modem has a built-in firewall, which seems to
be set up okay. All my ports are set to drop unsolicited packets
silently, and tested fine with "Shields-Up" at grc.com.  Here is a short
sample of the modem's log of recent "events": 

INF 2008/02/25 03:11:00 CST FW: severity=low src=24.64.140.22
dst=70.130.187.24 ipprot=17 sport=5732 dport=1026 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 03:11:01 CST FW: severity=low src=24.64.165.119
dst=70.130.187.24 ipprot=17 sport=24744 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 03:27:42 CST FW: severity=low src=24.64.20.146
dst=70.130.187.24 ipprot=17 sport=16834 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 03:42:32 CST FW: severity=low src=24.64.58.130
dst=70.130.187.24 ipprot=17 sport=14512 dport=1026 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 03:47:10 CST FW: severity=low src=24.64.170.143
dst=70.130.187.24 ipprot=17 sport=11784 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 04:04:20 CST FW: severity=low src=24.64.175.185
dst=70.130.187.24 ipprot=17 sport=18594 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 04:11:11 CST FW: severity=low src=24.64.203.17
dst=70.130.187.24 ipprot=17 sport=28325 dport=1027 UDP Port Scan
Detected, Packet Dropped




Doesn't look good.
So I tried to get rid of the offender(s) by resetting the modem, thus
getting a new IP address from my ISP.  But - this is  unnerving - even
with a new IP address, the hits just keep on coming:




INF 2008/02/25 14:30:24 CST FW: severity=low src=24.64.214.69
dst=70.130.34.183 ipprot=17 sport=31282 dport=1027 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 14:46:41 CST FW: severity=low src=24.64.213.38
dst=70.130.34.183 ipprot=17 sport=32957 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 14:47:42 CST FW: severity=low src=24.64.110.185
dst=70.130.34.183 ipprot=17 sport=15209 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 15:19:58 CST FW: severity=low src=24.64.150.221
dst=70.130.34.183 ipprot=17 sport=30155 dport=1027 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 15:26:13 CST FW: severity=low src=24.64.103.76
dst=70.130.34.183 ipprot=17 sport=29258 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 15:35:34 CST FW: severity=low src=24.64.101.201
dst=70.130.34.183 ipprot=17 sport=24341 dport=1028 UDP Port Scan
Detected, Packet Dropped  

INF 2008/02/25 15:42:06 CST FW: severity=low src=24.64.85.4
dst=70.130.34.183 ipprot=17 sport=16666 d  port=1028 UDP Port Scan
Detected, Packet Dropped  



The scans all come from 24.64.???.??? which seems to resolve to
(apparently) a cable ISP in Calgary, Alberta, Canada (far. far away from
me).  The scans just seem to be for ports 126, 127, and 128.  They only
come every 5-15 minutes.  Each time the source port is different, as
well as the last two groups of numbers in the source IP address.  

I don't know how long this has been going on, but at least since
2008-02-22.  The scanning seems to be very persistent and very
methodical.  And very patient.  

It may just be a script kiddie playing with a port scanner.  Or perhaps
a botnet systematically probing some or all of my ISP dynamic IP range,
with who knows what evil intent.  
Or... what?

This isn't funny anymore, especially since I am still getting scanned
even after changing my etxernal IP address!  

Further, in addition to my Ubuntu 7.10 computers, the lan also includes
the Windows XP computer of a non-technical user, who uses it for all
sorts of internet audio and video stuff.  

So, what to do?  Should I just grit my teeth and ignore it?  Should I
contact my ISP and/or the "source" ISP?  Would either one even care?
Opinions?  Advice?  








More information about the ubuntu-users mailing list