Re: Port 109 Scans

[spb () MESHUGGENEH NET (Stephen P. Berry)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ed Padin writes:

> I've seen many of the scans have a source port of 0. Has anyone else seen
> the same?

Yes.

I've been seeing a number of scans with the following characteristics:

        -Fixed ports.  Source port is always 0, destination port is always 109
        -Sequential.  Scan advances sequentially across a 24 bit network[0]
        -Slow.  On a single 24 bit subnet, several minutes pass between
         packets
        -Interleaved.  Multiple networks are being scanned simultaneously by
         individual hosts
        -Redundant.  Several source addresses exhibiting similar behaviour
         have been observed
        -Crafted.  Well, obviously the packets being sent are crafted.  The
         interesting things I've noticed are:
                -Both the SYN and FIN flags are always set
                -Identical IP IDs are used by multiple packets
                -TCP sequence number remains constant for long periods,
                 but only for some scanning hosts.
                 For example, earlier today I saw:

957897140.489011 a.b.c.d.0 > x.y.z.n.109: SF 1462829056:1462829056(0)
win 512
        4500 0028 5c01 0000 ..06 .... .... ....
        .... .... 0000 006d 5731 0000 0000 0000
        5003 0200 .... 0000 0000 0000 0000

                ...and then, hours later...

957902290.082516 a.b.c.d.0 > x.y.z.{n+4}.109: SF 1412497408:1412497408(0)
win 512
        4500 0028 2304 0000 ..06 .... .... ....
        .... .... 0000 006d 5431 0000 0000 0000
        5003 0200 .... 0000 0000 0000 0000
957902343.276762 a.b.c.d.0 > x.y.z.{n+4}.109: SF 1462829056:1462829056(0)
win 512
        4500 0028 2304 0000 ..06 .... .... ....
        .... .... 0000 006d 5731 0000 0000 0000
        5003 0200 .... 0000 0000 0000 0000

Notice that the IP ID changes from the packet sent to x.y.z.n and
the packets sent to x.y.z.{n+4}, but the same ID is used for both
of the packets sent to x.y.z.{n+4}.  In addition, the same TCP
sequence number is found on the packet sent to x.y.z.n and then second
one sent to x.y.z.{n+4}.  I've observed this from sensors on a couple
of different networks, so this isn't a single hiccup.

- -Steve

- -----
0     At least that's what it looks like from here.  It's possible that larger
      address spaces are being sequentially searched and I just don't have
      sensors in the places where it's happening.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5GNBKG3kIaxeRZl8RApXLAKDQgda7CRYNBWEUSZfjKhQQYLHZ6gCcCCPX
RWuT2LtVYviAXBPheIExbIs=
=fn01
-----END PGP SIGNATURE-----