Lengthy probes of port 8500

[Paul Gear <paul () gear dyndns org>]

Has anyone seen probes like this in the last few days?  I've never
seen them before, then last night i got more than 300 attempts in a
little over 2 hours.

Sep  4 18:53:39 xxx kernel: Packet log: input DENY ppp0 PROTO=6
a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65349 F=0x4000 T=117 SYN
(#67)
Sep  4 18:53:40 xxx kernel: Packet log: input DENY ppp0 PROTO=6
b.b.18.36:1039 x.x.16.93:8500 L=48 S=0x00 I=43805 F=0x4000 T=123 SYN
(#67)
Sep  4 18:53:42 xxx kernel: Packet log: input DENY ppp0 PROTO=6
a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65351 F=0x4000 T=117 SYN
(#67)
Sep  4 18:53:47 xxx kernel: Packet log: input DENY ppp0 PROTO=6
b.b.18.36:1039 x.x.16.93:8500 L=48 S=0x00 I=44317 F=0x4000 T=123 SYN
(#67)
Sep  4 18:53:48 xxx kernel: Packet log: input DENY ppp0 PROTO=6
a.a.30.66:1761 x.x.16.93:8500 L=48 S=0x00 I=65427 F=0x4000 T=117 SYN
(#67)

The scans came from 4 different IP addresses one of which also tried
ports 15453 and 26138, and another which also tried port 20687.
Another tried port 20687 without trying 8500.  The source addresses
are from two different networks, but both are in the local
geographical region.

I wondered whether it was some sort of gaming or file sharing, where
the initial setup is done via http to a central server and the
subsequent connections are peer-to-peer.  However, none of the users
wants to own up to doing anything (surprise, surprise ;-).

Paul



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com