For the past few days, I have been getting these in my logs:
denied 5 141.2.28.188 -> 204.247.159.244, 1 packet
denied 2 141.2.28.188 -> 204.247.159.244, 1 packet
denied 2 141.2.28.188 -> 204.247.159.244, 6 packets
denied 2 141.2.28.188 -> 204.247.159.244, 2 packets
denied 10 141.2.28.188 -> 204.247.159.244, 1 packet
denied 2 141.2.28.188 -> 204.247.159.244, 3 packets
denied 7 141.2.28.160 -> 204.247.159.244, 1 packet
denied 15 141.2.28.160 -> 204.247.159.244, 1 packet
denied 0 141.2.28.160 -> 204.247.159.244, 1 packet
denied 7 141.2.28.160 -> 204.247.159.244, 1 packet
denied 13 141.2.28.160 -> 204.247.159.244, 1 packet
After a bit of research, I have decided that this is a protocol probe.
If I read RFC 1700 right:
0 Reserved [JBP]
1 ICMP Internet Control Message [RFC792,JBP]
2 IGMP Internet Group Management [RFC1112,JBP]
3 GGP Gateway-to-Gateway [RFC823,MB]
4 IP IP in IP (encasulation) [JBP]
5 ST Stream [RFC1190,IEN119,JWF]
6 TCP Transmission Control [RFC793,JBP]
7 UCL UCL [PK]
8 EGP Exterior Gateway Protocol [RFC888,DLM1]
9 IGP any private interior gateway [JBP]
10 BBN-RCC-MON BBN RCC Monitoring [SGC]
11 NVP-II Network Voice Protocol [RFC741,SC3]
12 PUP PUP [PUP,XEROX]
13 ARGUS ARGUS [RWS4]
14 EMCON EMCON [BN7]
15 XNET Cross Net Debugger [IEN158,JFH2]
16 CHAOS Chaos [NC3]
Someone is trying to see what sort of protocols might get past my router.
Am I totally off base? Has anyone had experience with this before?
Here are some more goodies
141.2.28.188 = dialin188.rz.uni-frankfurt.de
141.2.28.160 = dialin160.rz.uni-frankfurt.de
204.247.159.244 = www.connectix.com
I see no reason (other than foul play), why terminal servers would wan't
to send this stuff to our web server. What's ARGUS anyway?
Thanks in advance,
Rob Sansom
Network Admin.
Connectix Corp
(415) 638-7398
sansom @
connectix .
com
|
|
