November 3rd, 2003, 11:19 PM
Oh lots of thoughts:
- worm activity? (still might be a possibility)
- trojan activity? (some DDoS/Trojans have encryption methods in them -- nothing says they wouldn't/couldn't use IPSec)
- misdirected traffic (this is the more likely scenario -- whatever they were connecting to before using Windows built-in VPN and IPSec).
- misdirected traffic (again, more likely option -- whatever they were connecting to experimenting with IPv6).
Interesting to say the least.. might want to watch incidents.org and some of the lists to see if others report it. Might also want to forward it to incidents.org to see if they've seen other reports.
November 3rd, 2003, 11:38 PM
November 4th, 2003, 12:00 AM
have you had any problems with ur zonealarm blocking the traffic. I remember a bug in ZA where if it recieves and blocks a exceeding number of SYN packets (over a hundred or something i think) it will crash. I'm sure some of u've seen/heard it. Just wonderin if they could somehow tell that u have a zonealarm firewall and r tryin to crash it. Just my guess on what they could be tryin to do...i know its far fetched but a high amount of SYN packets and ur firewall bein ZA u could never know.
November 4th, 2003, 04:52 AM
Tiger: I had some log entries in my logs from Oct 28 that show a handfull of attempts inbound from Internet using that TCP port you reported but nothing alarming. But most interestingly I had about 20 entries inbound from Internet (on same TCP port) using internal LAN IP addresses - some were valid others were not.
I'll watch for any future stuff.
(Interesting thread you have here)