Eric Wieling writes...
Someone apparently from a WorldNet dial-up account, calling in via New Orleans and Dallas was sending large numbers of TCP connections to port 1080. That's of course the default Socks Port. We don't run socks. Never have. The connection attempts were blocked and logged.
The reasons could be:
1) stupid user entered in the wrong address for a socks proxy 2) Denial of Service attack
It if were #1, then why would it be coming from two different cities and why sooooo many connections. If it was #2, why am I not seeing more connections and why TCP? IT seems to me that it's kinda pointless to spoof the source address on a TCP connection unless you are *very* clever. Why only port 1080?
I've seen this scenario in the past, though in reverse (in other words from the "attacker" side). Here's how it went. Company X uses a proxy server for web access, which defaults to 1080. They configured all their Netscape browsers to use the proxy server. Apparently, one of the employees took home a copy of Netscape with the configuration intact. It continued to work because the proxy server also answered requests from outside the company X network. This employee further duplicated that configured copy of Netscape and passed it around to other people. Eventually a copy made it to company Z where I once worked. Company Z did not use a proxy server, and did allow outbound access to any port on the Internet. So these copies of Netscape continued to work, using company X's proxy server. Eventually company X discovered their proxy server was being "attacked" or otherwise heavy loaded from the Internet. They either shut it down or made it unreachable from the outside or it just plain crashed. I was called in to diagnose why several stations could no longer reach any web sites. I discovered this misconfiguration. Noting the pattern involved and the possibility of a like scenario repeating, and the risks that could also be involved, I set the firewall to block outgoing connects to port 1080 anywhere on the Internet. That actually "broke" quite a number of copies of Netscape, and had to result in a total in-house clean-up of all browsers. Eric, What you are seeing _might_ be as innocent as that. I don't know how hard the browser keep trying to connect when the connection is refused or not completed, but it is worth adding in to the list of scenarios so you know what you might be dealing with if it does happen to be the case. And good luck with contacting AT&T. I'm going to be putting some thought into the issue of how to implement and deploy a universal operations contact list that can be restricted to the operational staff of ISPs and major businesses on the Internet. This is something most everyone will want to have a restricted access list.
I don't bother to set my alarm clock anymore. Someone always pages me before I need to wake up anyway.
boss: Why didn't you come into work yesterday? answer: No one paged me. Was I needed? -- Phil Howard +-------------------------------------------------------------+ KA9WGN | House committee changes freedom bill to privacy invasion !! | phil at | more info: http://www.news.com/News/Item/0,4,14180,00.html | milepost.com +-------------------------------------------------------------+