Dhs

DHS redux

So it looks like those scans were coming from NCATS. This is only meant to scan networks associated with the Federal government. I’m guessing there was a misconfiguration, somewhere, ‘cos Panix tell me they never requested any scans of their network :-) Through a friend I contacted their SOC. I saw another scan yesterday and escalated. They just replied and told me that they’ve removed the IP ranges from their config.

Huh, the department of homeland security is attacking me?

Either the DHS is attacking me, or else they’ve got compromised computers… In my logs I see 1147 attempts from 64.69.57.20 to my web server; e.g. 64.69.57.20 - - [03/Jul/2015:00:40:32 -0400] "\x16\x03\x01" 501 295 "-" "-" 64.69.57.20 - - [03/Jul/2015:00:40:40 -0400] "GNUTELLA CONNECT/0.6" 400 306 "-" "-" 64.69.57.20 - - [03/Jul/2015:00:40:41 -0400] "GET http://rfi.nessus.org/check_proxy.html HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)" 64.69.57.20 - - [03/Jul/2015:00:40:42 -0400] "ABKJFC / HTTP/1.