Wednesday, June 11, 2008

wigglit.ath.cx being bombarded with scans of port 1028/UDP

The culprit?

24.64.0.0/13, or 24.64.0.0 - 24.71.255.255, which resolves to SHAWCABLE.NET

There are at least 311 hosts within that range that have tried to connect to UDP port 1028 in the last few days. This isn't really a broad scan but the pepperings of hosts every day for the last few days, each one being unique hosts that have never been logged makes it hard to establish a pattern so that I can block remote hosts that continue to scan for this port, so I've opted to initiate a broad block and keep the block in place for maybe 30 days.

I'll monitor this activity and maybe alert the ISC diary if the scans continue.

If you're caught up in this ban, let me know and I'll see about allowing traffic to specific hosts.
Post a Comment