[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 9 Feb 2010, Simon Waters wrote:
I'm seeing spurious port 37 traffic logged since "Feb 8 20:05:41" on several (related) IP addresses.TCPDUMP show the content contain strings consistent with these packets being related to anti-spam activity, or possibly just lost DNS traffic (since a lot of DNS traffic is now anti-spam).Strings extracted include: 14.114.99.123.zen.spamhaus.org 157.104.20.190.zen.spamhaus.org cps.co.uk.dsn.rfc-ignorant.org liposuctionlaser.com.abuse.rfc-ignorant.orgMy best guess is an attempted DDOS on blocklists, but I don't have enough data.I don't understand why it would use port 37, but the packets are from all over, so I assume spoofed.Anyone else seeing this? Be nice to know we aren't mangling our own DNS requests or similar.
Not a peep here - I'm looking at my main routers too - nothing in or out.Port 37 - Thats "timeserver"... used to send the time & date to a remote site - I think it's generally been disabled for years now... Odd that people are poking data to it!!!
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html