DoS, Portscan?

["Portnoy, Gary" <gportnoy () BELENOSINC COM>]

Hi there,

For about 30 minutes experienced what I thought was a DoS, but it was very
strange.  In that timeframe I received about 19,000 packets, from 7
different hosts: 217.67.238.156, 137.30.57.125, 212.6.212.98, 194.29.192.21,
212.182.30.34, 211.39.129.201, 172.138.190.200.  The source port was all
over the range from 2 to ~ 60,000.  The destination address was one of five
IPs, and the destination port was 1 of 21 ports, ranging from 1029 to 1978.
What I noticed is that certain destination IP's has certain destination
ports, for example, destination port 1029 would only occur with destination
ip x.y.z.194, destination port 1849 would only occur with destination ip
x.y.z.195, etc.  And after 30 minutes this stopped.  I haven't seen anything
from those addresses since.  Unfortunately I don't have Snort running on
that network, so no network capture is possible.  But here is a sample of
the log, time is ETC (GMT -5:00):

Date    Time            Source          Source Port     Destination
Destination Port
3/9/01  11:48:18        212.182.30.34   25              x.y.z.196       1233
3/9/01  11:48:18        194.29.192.21   88              x.y.z.196       1233
3/9/01  11:50:29        211.39.129.201  6               x.y.z.195       1364
3/9/01  11:50:29        217.67.238.156  122             x.y.z.195       122
3/9/01  11:50:45        194.29.192.21   174             x.y.z.194       1780
etc
etc
etc.

Any ideas?

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C