Hi all, In response, feel free to let me know if you know of better list to aim questions like this: My client has been portscanned for several weeks now. Upward of thirty scans a day, with a similar profile. They each scan the IP block owned (and concievably the scan continues past our block onto the next). The scans continually look for responses on a small set of ports, one port per scan. The same port is being scanned on the IP block a multitude of times. Each time the scan comes from a new IP address, and they are rarely reused. Scanning the IP addresses back, I find that some are locked down, and some respond on common trojan ports. One of them turned out to be a router. I am thinking that it is likely to be a single source with forged source IP. And the repeated scan on the same ports for this amount of time suggest perhaps the perp cannot see the response packets, and perhaps isn't aware or understanding what they are doing. I am getting sniffs of the packets to see if I can passive fingerprint the source OS, and that should indicate somewhat if there actually is a single source or not. If not, I will look further into the IPs, though it seems unlikely someone with access to so many IP addresses would be doing something so benign. If it does appear to be a single source, then does any have any further tips on how to determine where it comes from. My only apparent course of action is to get my ISP to sniff for these packets at various parts of their network and see where they get introduced. Any other ideas? Thanks, Paul. ------------------------------------------------ Global WebMail - Delivered by Global Internet www.global.net.uk ------------------------------------------------ - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]