Security Incidents mailing list archives
Odd UPD scan
From: dmeissner () PUNCHNETWORKS COM (David Meissner)
Date: Wed, 15 Mar 2000 11:25:53 -0800
For several weeks now I've noticed scans of UDP port 137, but the odd thing is that the source address is spoofed as a private IP address. I don't understand how this can be a probe, since they'll never see the replies. It also doesn't seem like a DOS attack since it's a somewhat slow scan and it doesn't go on for too long. Sample log: 00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable This activity goes on for about 40 minutes total to a number of other addresses, then a similar sequence repeats about 10 minutes later but only lasts a couple of minutes. About two hours later they repeat this again for a couple more minutes. I've seen the same activity from source addresses like 10.2.2.1. Maybe they're trying to guess our internal network numbers, but what would be the point? Can anyone suggest what might be going on? Thanks, David Meissner Punch Networks
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: Odd UPD scan Bill Pennington (Mar 16)