Security Incidents mailing list archives
Re: scan log
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 13 Jun 2000 10:03:00 +1200
On Sun, 11 Jun 2000 22:30:31 -0500 Max Gribov <mgribov () KPLAB COM> wrote:
this are logs of a port scan i have recently received on one of my machines. i searched for those ports in all known port databases to me, but couldnt find anything. why would someone scan that specific range (observe the precise inrementation) of ports on a linux machine? Jun 11 22:20:21 mordor scanlogd: From 209.3.31.70:20 to 151.202.106.23 ports 2632, 2633, 2634, 2635, 2636, 2637, 2638, 2639, 2640, ..., flags ??r??u, TOS 00, TTL 60, started at 22:20:13
Are you sure this is a scan? My scan detection software see patterns like this several times a day. Since my system is based on argus I can go back and dump out the traffic context and I usually find that what we have is a bunch of short web or ftp session. uuu.xxx.yyy.zzz.2632 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2633 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2634 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2635 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2636 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2637 -> aaa.bbb.ccc.ddd.80 uuu.xxx.uuu.xxx.2638 -> aaa.bbb.ccc.ddd.80 Now some combinations of client and server tcp stacks result in untidy session termination and I frequently see things like this: aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2632 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2633 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2634 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2635 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2636 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2637 FIN aaa.bbb.ccc.ddd.80 -> uuu.xxx.yyy.zzz.2638 FIN up to two minutes after the tcp sessions have closed. This looks just like a FIN scan to scan detection software but in fact is the server still trying to shut down the sessions. (I suspect that some load balancing software is responsible for this sort of behaviour). I now ignore most short scans to consecutive high numbered ports. What it boils down to is that you can not say very much about such incidents without the context of the traffic in which they occur. Cheers, Russell Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Re: scan log Russell Fulton (Jun 12)
- Re: scan log Valdis Kletnieks (Jun 14)
- <Possible follow-ups>
- Re: scan log Paul Rogers (Jun 13)
- Re: scan log Ex Machina (Jun 14)
- Re: scan log Russell Fulton (Jun 15)