Comcast port sweep?

Comcast port sweep?

Post by Jim Orfanako » Wed, 25 Jun 2003 10:10:28



Looks like Comcast is doing a port sweep.  This is what I found in my Link
Logger router logs today.

63.214.53.45 resolves to "unknown.Level3.net"

Has anyone seen this?

6/23/2003 20:54:06.866  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
6/23/2003 20:54:06.605  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
6/23/2003 20:54:05.564  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
6/23/2003 20:54:05.313  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
6/23/2003 20:54:03.531  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
6/23/2003 20:54:03.361  -  63.214.53.45 : 80  >>>  my.ip.address : 1120
6/23/2003 20:54:03.351  -  63.214.53.45 : 80  >>>  my.ip.address : 1124
6/23/2003 20:54:03.351  -  63.214.53.45 : 80  >>>  my.ip.address : 1119
6/23/2003 20:54:03.341  -  63.214.53.45 : 80  >>>  my.ip.address : 1122
6/23/2003 20:54:03.311  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
6/23/2003 20:54:03.270  -  63.214.53.45 : 80  >>>  my.ip.address : 1117
6/23/2003 20:54:03.070  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
6/23/2003 20:54:02.920  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
6/23/2003 20:54:01.989  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
6/23/2003 20:54:01.949  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
6/23/2003 20:54:01.598  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
6/23/2003 20:54:01.588  -  63.214.53.45 : 80  >>>  my.ip.address : 1122
6/23/2003 20:54:01.578  -  63.214.53.45 : 80  >>>  my.ip.address : 1124
6/23/2003 20:54:01.568  -  63.214.53.45 : 80  >>>  my.ip.address : 1119
6/23/2003 20:54:01.558  -  63.214.53.45 : 80  >>>  my.ip.address : 1120
6/23/2003 20:54:01.538  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
6/23/2003 20:54:01.438  -  63.214.53.45 : 80  >>>  my.ip.address : 1117
6/23/2003 20:54:01.398  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
6/23/2003 20:54:01.228  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
6/23/2003 20:54:00.947  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
6/23/2003 21:04:24.113  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
6/23/2003 21:04:49.169  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
6/23/2003 21:05:17.240  -  63.214.53.45 : 80  >>>  my.ip.address : 1104
6/23/2003 21:05:17.490  -  63.214.53.45 : 80  >>>  my.ip.address : 1107

 
 
 

Comcast port sweep?

Post by Larr » Wed, 25 Jun 2003 11:03:52


Your IP is 68.85.26.211 according to your Com*header.

Those ports would be return ports from an html server looking to
answer a webpage request.  Did you open a webpage to something before
this storm of replies?  Looks like the html server was just trying to
answer your browser request coming out on port 80.

On Mon, 23 Jun 2003 21:10:28 -0400, "Jim Orfanakos"


>Looks like Comcast is doing a port sweep.  This is what I found in my Link
>Logger router logs today.

>63.214.53.45 resolves to "unknown.Level3.net"

>Has anyone seen this?

>6/23/2003 20:54:06.866  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
>6/23/2003 20:54:06.605  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
>6/23/2003 20:54:05.564  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
>6/23/2003 20:54:05.313  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
>6/23/2003 20:54:03.531  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
>6/23/2003 20:54:03.361  -  63.214.53.45 : 80  >>>  my.ip.address : 1120
>6/23/2003 20:54:03.351  -  63.214.53.45 : 80  >>>  my.ip.address : 1124
>6/23/2003 20:54:03.351  -  63.214.53.45 : 80  >>>  my.ip.address : 1119
>6/23/2003 20:54:03.341  -  63.214.53.45 : 80  >>>  my.ip.address : 1122
>6/23/2003 20:54:03.311  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
>6/23/2003 20:54:03.270  -  63.214.53.45 : 80  >>>  my.ip.address : 1117
>6/23/2003 20:54:03.070  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
>6/23/2003 20:54:02.920  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
>6/23/2003 20:54:01.989  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
>6/23/2003 20:54:01.949  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
>6/23/2003 20:54:01.598  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
>6/23/2003 20:54:01.588  -  63.214.53.45 : 80  >>>  my.ip.address : 1122
>6/23/2003 20:54:01.578  -  63.214.53.45 : 80  >>>  my.ip.address : 1124
>6/23/2003 20:54:01.568  -  63.214.53.45 : 80  >>>  my.ip.address : 1119
>6/23/2003 20:54:01.558  -  63.214.53.45 : 80  >>>  my.ip.address : 1120
>6/23/2003 20:54:01.538  -  63.214.53.45 : 80  >>>  my.ip.address : 1121
>6/23/2003 20:54:01.438  -  63.214.53.45 : 80  >>>  my.ip.address : 1117
>6/23/2003 20:54:01.398  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
>6/23/2003 20:54:01.228  -  63.214.53.45 : 80  >>>  my.ip.address : 1107
>6/23/2003 20:54:00.947  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
>6/23/2003 21:04:24.113  -  63.214.53.45 : 80  >>>  my.ip.address : 1103
>6/23/2003 21:04:49.169  -  63.214.53.45 : 80  >>>  my.ip.address : 1106
>6/23/2003 21:05:17.240  -  63.214.53.45 : 80  >>>  my.ip.address : 1104
>6/23/2003 21:05:17.490  -  63.214.53.45 : 80  >>>  my.ip.address : 1107

Larry

Extremely intelligent life must exist in the universe.
You can tell because they never tried to contact us.

 
 
 

Comcast port sweep?

Post by Giles Harne » Wed, 25 Jun 2003 20:34:49



Quote:> Looks like Comcast is doing a port sweep.  This is what I found in my Link
> Logger router logs today.

> 63.214.53.45 resolves to "unknown.Level3.net"

how do you figure its comcast when the IP you have identified is from
level3.net??????
 
 
 

Comcast port sweep?

Post by Jim Orfanako » Wed, 25 Jun 2003 20:45:16


Comcast uses Level3


:


: > Looks like Comcast is doing a port sweep.  This is what I found in my
Link
: > Logger router logs today.
: >
: > 63.214.53.45 resolves to "unknown.Level3.net"
:
: how do you figure its comcast when the IP you have identified is from
: level3.net??????
:
:
:

 
 
 

Comcast port sweep?

Post by timeOda » Thu, 26 Jun 2003 10:54:51


They check certain ports (e.g. windows shares) very frequently, but a sweep
surprises me.  If course if the portscan is coming from a fixed address
like that it's easy to detect and blacklist that host.

 
 
 

1. Comcast blocking high port numbers?

I forward incoming tcp connections on one specific high port number to
an internal host on my network.  I don't run any servers or forward or
accept any other incoming connections.  It was working fine before Jan

actually working after the transition and I've changed nothing in my
router/firewall configs.  Then, it stopped working.  I'm considering
calling comcast tech support, but I'm certain it will be a frustrating
and time consuming phone call.

Has anyone else noticed this on the new comcast network?  Specifically
in Northern VA

2. Humorous Submissions

3. Is Comcast blocking ALL NNTP port 119 access?

4. XGA and 640x480x65536

5. Help!!D-link 4 port cable router (di-704), windows xp, comcast@home

6. Help Needed with Canon BJC-4200 printer

7. comcast digital tv cable boxes each have their own ip addresses and ethernet port

8. Alessandra Carbone: Proofs and Logical Flow Graphs

9. IDS 4215 Picking up Net Sweep-echo

10. Ping Sweep from CAT to keep the IP's actual !?!?!?

11. Using IOS to Stop People from Sweeping Our Network Looking for Hosts.

12. Broad Computer Telephony Patent Sweep!

13. ISP recommends line sweep to reduce signal noise?