Security Incidents mailing list archives
Re: Automated, Distributed Port Scan
From: mixter () NEWYORKOFFICE COM (Martin Ixter)
Date: Wed, 10 May 2000 00:56:50 +0300
Distributed scanning is not only feasible, there are already distributed scanning tools out in public. They aren't very advanced yet (regarding stealth, etc.), but they show that the distributed concept is very easy to implement into scanning tools. The first distributed scanner appeared in phrack56 (http://phrack.infonexus.com/search.phtml?view&article=p56-12), and I'm also hosting one written in perl myself (http://mixter.warrior2k.com/rivat.tgz) </advertisement> :p ________________________ mixter () newyorkoffice com http://1337.tsx.org On Mon, 8 May 2000, E. Larry Lidz wrote:
We seem to have been the victims of what appears to be an automated distributed port scan. Over the weekend we were scanned for Netbus by 30 (or so) different machines. We have comfirmed that there was two-way tcp traffic to at least one host on our network, so we do not believe that the source was spoofed. Each scan scanned a different set of machines on our network. From a quick look, there appears to have been little to no overlap (that is, machinea was not scanned from any two different sources). Looking at the times and the source of the scans, most of the scans lasted almost exactly 20 minutes -- this makes me think that it is likely automated. Sometimes there were pauses between the scans, sometimes there wasn't. The scans came from a variety of sites, but generally standard targets -- ISPs, Brazil, Korea, Austria, etc. -Larry --- E. Larry Lidz Phone: (773)702-2208 Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: finger ellidz () uchicago edu or network-security () uchicago edu
Current thread:
- Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- New or Variant Port 109 Scans Stephen P. Berry (May 15)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)