Security Incidents mailing list archives
stealth scans on old legacy firewalls.
From: lwcashd () BIW COM (Larry W. Cashdollar)
Date: Fri, 4 Feb 2000 08:16:55 -0500
Everyday I check the logs on our current firewall (soon to be replaced). I have noticed and reported to management/staff that the number of scans we are logging have decreased over the last 3 months. My theory was that our firewall was still being scanned but with stealth utilities like nmap. I also noted that our firewall in its current configuration could not log these types of scans as they didnt complete the TCP 3-way handshake. Well we are our new firewall is up and running and being tested online. This morning this showed up in its logs: Feb 04 04:58:58.138 bertha kernel[0]: 226 IP packet dropped (gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]: Protocol=TCP[SYN] Port 1861->8080): Restricted Port: Protocol=TCP[SYN] Port 1861->8080 (received on interface xxx.xxx.xxx.xxx) ^^^^^^ Open proxy server scan. Feb 04 04:58:58.892 bertha kernel[0]: 226 IP packet dropped (gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]: Protocol=TCP[SYN] Port 2225->3128): Restricted Port: Protocol=TCP[SYN] Port 2225->3128 (received on interface xxx.xxx.xxx.xxx) ^^^^^^ Dont know what they are looking for on port 3128. Feb 04 04:58:59.598 bertha kernel[0]: 226 IP packet dropped (gnet44.szptt.net.cn[202.96.191.44]->bertha[xxx.xxx.xxx.xxx]: Protocol=TCP[SYN] Port 2609->1080): Restricted Port: Protocol=TCP[SYN] Port 2609->1080 (received on interface xxx.xxx.xxx.xxx) ^^^^^^ Socks Scan. While the logs on the old firewall remained quiet. All I can say is attackers are like children if they are too quiet something is wrong. -- Larry
Current thread:
- stealth scans on old legacy firewalls. Larry W. Cashdollar (Feb 04)
- Re: stealth scans on old legacy firewalls. Leonid Igolnik - LiM (Feb 05)
- Re: stealth scans on old legacy firewalls. SecOrg (Feb 05)
- Named "Response from unexpected source" Alexandru Popa (Feb 07)
- Re: Named "Response from unexpected source" Erik Fichtner (Feb 07)
- Re: Named "Response from unexpected source" Greg Woods (Feb 08)
- echo requests, 1480 bytes thomas lakofski (Feb 08)