Getting slammed from port 12200

[Chaotic42]

So every once in a while I log into my OpenBSD firewall to see what's been going on. Today I noticed that I have been getting *slammed* by computers mostly in the 221.x.x.x IP range and always on port 12200. I looked up the IP range and it's from Asia, and port 12200 appears to be something SAN related.

I mean this thing is going nuts. All kids of different IP addresses, mostly in the same 221 range. Here's a sample:

15:11:12.000456 221.1.220.199.12200 > CHAOTIC42IP.2479: S 1966153762:1966153762(0) win 8192 (DF)
15:11:12.306937 221.1.220.199.12200 > CHAOTIC42IP.9090: S 1966213044:1966213044(0) win 8192 (DF)
15:11:12.564609 221.1.220.199.12200 > CHAOTIC42IP.8090: S 1966272326:1966272326(0) win 8192 (DF)
15:11:12.671603 221.1.220.199.12200 > CHAOTIC42IP.1080: S 1966301967:1966301967(0) win 8192 (DF)
15:11:13.489275 221.1.220.199.12200 > CHAOTIC42IP.8118: S 1966420531:1966420531(0) win 8192 (DF)
15:11:13.661051 221.1.220.199.12200 > CHAOTIC42IP.8088: S 1966450172:1966450172(0) win 8192 (DF)

There are tons of these things. 231 in the last four hours and ten minutes. They're also pinging me.

Any idea what this is or anything I can do about it?

 

[Bandit1]

Same port scans hit me awhile back on 12200.They were all china addys.It did NOT stop for a week and would've kept on.Blocked chunks of ip's,then they just switched up.I'd recommend aquiring a new ip address and a few cosmetic router changes if it really gets bothersome or worrysome.

 

[Modelworks]

When this happens and it is persistent what you need to do is find the address that they are connecting to in the USA from their provider. Then copy the logs and send it to the network provider that they are using for that connection. If you are lucky it will be a decent provider and they will block the traffic.

The problem with things like this is people rarely do any reporting of it and just ignore it so it continues. Network providers really don't want this kind of traffic and will stop it if notified.

Same for malware. I report every instance I find of a server distributing it. I think people might be surprised at how often I get an immediate response from the provider telling me they have fixed the situation. If you don't report it , it will continue.

when I trace back to that address is seems they are using qwest for the connection point in the USA. To contact them it would be abuse@qwest.net

 

[Gamingphreek]

Modelworks hit the nail on the head, but to answer your second question regarding pings.

Create a rule (I'm assuming you are using iptables in BSD?) that discards all ICMP traffic on the WAN Side.

Bandit1 - I'm not sure how you think you can just change IP Addresses on a whim. Unless you purchased a large block of Private WAN Side IP's from your ISP (Highly unlikely) you are likely on a Dynamic IP scheme that will change every once in a while.

 

[Bandit1]

Bandit1 - I'm not sure how you think you can just change IP Addresses on a whim. Unless you purchased a large block of Private WAN Side IP's from your ISP (Highly unlikely) you are likely on a Dynamic IP scheme that will change every once in a while.

I only speak from experience,as little as i post here i could care less if you believe it.I sure as hell CAN,on a "whim"as you say change my dynamic ip..Look around a bit,experiment.It can take some patience to nail it.The more methods of defense at your disposal,the better off you are.This does'nt mean running 10 quadzillion programs,either.That's all i've got to say.I stand by my thoughts providing certain situations arise,such as above.

 

[Gamingphreek]

I only speak from experience,as little as i post here i could care less if you believe it.I sure as hell CAN,on a "whim"as you say change my dynamic ip..Look around a bit,experiment.It can take some patience to nail it.The more methods of defense at your disposal,the better off you are.This does'nt mean running 10 quadzillion programs,either.That's all i've got to say.I stand by my thoughts providing certain situations arise,such as above.

You do not have control when your ISP switches your IP Address. You can release and renew the lease until your fingers fall off - if the ISP's rule dictates the IP's re-lease every week, you have to wait until that time is up!

 

[sldysart]

I was getting annoyed with recurring port scans and wanted to get a new IP address without leaving my network shut down for a couple days. This worked for me on Charter:

Clone the MAC address of a connected PC to the router, shutdown and restart modem & router. I immediately got a new IP address. Leave in place several days until the lease associated the original MAC address has expired. Then, if you want, you can switch the MAC address back.

 

[LiuKangBakinPie]

does your firewall accept incoming echo requests?
This is what happening
Google for this ->yersinia

For INBOUND packets the Destination Port isthe port on YOUR computer! The Source Port is the port on the computer where the packet originated. So the scans in your first entries were to destination Port

These are probes looking for specific vulnerabilities, and yes everyone sees them. You can look up the IPs on www.mynetwatchman.com and see that these IPs are probing other users also.