Security Incidents mailing list archives
Re: Unusual scan pattern
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 19 Jan 2000 14:57:34 -0800
On Wed, 19 Jan 2000, Russell Fulton wrote:
date time proto source dest packets bytes status to fr to fr 09 Jan 00 11:05:43 tcp 133.74.6.1.23 <| 130.216.1.1.23 1 1 0 0 ER 09 Jan 00 11:05:43 tcp 133.74.6.1.23 <| 130.216.1.4.23 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.25 <| 130.216.1.4.25 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.25 <| 130.216.1.1.25 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.143 <| 130.216.1.1.143 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.143 <| 130.216.1.4.143 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.110 <| 130.216.1.4.110 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.110 <| 130.216.1.1.110 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.80 <| 130.216.1.1.80 1 1 0 0 ER 09 Jan 00 11:05:44 tcp 133.74.6.1.80 <| 130.216.1.4.80 1 1 0 0 ER The E flag on these means that argus thought that the incoming packets were part of an established tcp stream for which it had not seen the handshake packets. Our hosts respond with a RST. Note source and destination ports are the same -- Is this some form of tcp 'ping' designed to go through packet filters?
[...]
What interests me is the initial tcp data packets which look as if they have been crafted to go through firewalls (at least simple packet filter types) and the artifical source port numbers.
NMAP by default does TCP ACK pings to port 80. This doesn't look like an NMAP signature, but might be a similar kind of tactic. I'd think that they would get a better ability to go through firewalls if they did ACK scans from a low numbered port like 80 to a high numbered port. That would probably get through packet filters which didn't keep any state and just relied on the ACK bit being set to determine if it was part of an ongoing TCP connection.
Current thread:
- Unusual scan pattern Russell Fulton (Jan 18)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
- Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
- Re: Unusual scan pattern Russell Fulton (Jan 23)
- semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
- <Possible follow-ups>
- Re: Unusual scan pattern Oliver Friedrichs (Jan 19)
- Unknown Port Numbers Edwin Covert (Jan 21)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)