Re: repetitive port scanning, why?

["Michael H. Warfield" <mhw () wittsend com>]

Fred Kreitzberg enscribed thusly:
> Our web store underwent a heavy port scan yesterday.  It was unusual in both the number of scans, the port scanning 
> pattern and the fact they scanned each port 6 times.  They were fast too, 8600 scans in less then 2 minutes.  Is this 
> a new product/technique?

        If I were to take a WAG (Wild *** Guess) at this, I would guess
that you have your firewall set to "deny" these connections as in "drop
the packets on the floor and ignore them".  If that's the case, then I
don't think you are seeing each port "scanned" 6 times, I think you are
seeing the SYN packets being retried by the tcp stack at the other end.
Any decent port scanner could crank up 1400 connections in 2 minutes
(assuming the "6 scans" were really 1 connection attempt including retries
so 8600 / 6 is about 1433 connection attempts).  That's only about 12
connection attempts per second.  That's not even breathing hard.

        Somebody did a connected TCP port scan against you.  I don't see
anything unusual there.

> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2301 to 206.81.220.22 2011 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2302 to 206.81.220.22 655 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2303 to 206.81.220.22 273 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2304 to 206.81.220.22 4144 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2305 to 206.81.220.22 1480 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2306 to 206.81.220.22 747 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2307 to 206.81.220.22 36 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2308 to 206.81.220.22 316 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2309 to 206.81.220.22 600 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2310 to 206.81.220.22 159 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2311 to 206.81.220.22 530 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2312 to 206.81.220.22 2011 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2313 to 206.81.220.22 655 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2314 to 206.81.220.22 273 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2315 to 206.81.220.22 4144 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2316 to 206.81.220.22 1480 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2317 to 206.81.220.22 747 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2318 to 206.81.220.22 36 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2319 to 206.81.220.22 316 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2320 to 206.81.220.22 600 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2321 to 206.81.220.22 159 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2322 to 206.81.220.22 530 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2323 to 206.81.220.22 2011 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2324 to 206.81.220.22 655 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2325 to 206.81.220.22 273 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2326 to 206.81.220.22 4144 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2327 to 206.81.220.22 1480 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2328 to 206.81.220.22 747 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2329 to 206.81.220.22 36 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2330 to 206.81.220.22 316 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2331 to 206.81.220.22 600 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2332 to 206.81.220.22 159 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2333 to 206.81.220.22 530 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2334 to 206.81.220.22 10005 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2335 to 206.81.220.22 201 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2336 to 206.81.220.22 2032 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2337 to 206.81.220.22 832 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2338 to 206.81.220.22 2004 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2339 to 206.81.220.22 504 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2340 to 206.81.220.22 1381 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2341 to 206.81.220.22 1448 flags SYN
> Aug 2 17 43 40 Inbound TCP connection denied from 129.121.2.4 2342 to 206.81.220.22 355 flags SYN
>
> Fredrick W. Kreitzberg...............................................Data Security
> Recreational Equipment Inc. (REI)........................email:fkreitz () rei com
> Box 1938.....................................................phone: 253.395.5881
> Sumner, WA 98390-0800.....................................FAX: 253.395.4720
> "Quality Outdoor Gear and Clothing Since 1938"..........http://www.rei.com

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!