Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automated, Distributed Port Scan

From: mixter () NEWYORKOFFICE COM (Martin Ixter)
Date: Wed, 10 May 2000 00:56:50 +0300

Distributed scanning is not only feasible, there are already distributed
scanning tools out in public. They aren't very advanced yet (regarding
stealth, etc.), but they show that the distributed concept is very easy to
implement into scanning tools. The first distributed scanner appeared in
phrack56 (http://phrack.infonexus.com/search.phtml?view&article=p56-12),
and I'm also hosting one written in perl myself
(http://mixter.warrior2k.com/rivat.tgz) </advertisement> :p

________________________
mixter () newyorkoffice com
http://1337.tsx.org

On Mon, 8 May 2000, E. Larry Lidz wrote:


We seem to have been the victims of what appears to be an automated
distributed port scan. Over the weekend we were scanned for Netbus by
30 (or so) different machines. We have comfirmed that there was two-way
tcp traffic to at least one host on our network, so we do not believe
that the source was spoofed.

Each scan scanned a different set of machines on our network. From a
quick look, there appears to have been little to no overlap (that is,
machinea was not scanned from any two different sources).

Looking at the times and the source of the scans, most of the scans
lasted almost exactly 20 minutes -- this makes me think that it is
likely automated. Sometimes there were pauses between the scans,
sometimes there wasn't.

The scans came from a variety of sites, but generally standard targets
-- ISPs, Brazil, Korea, Austria, etc.

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Network Security Officer                             Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: finger ellidz () uchicago edu or network-security () uchicago edu
Previous By Date Next
Previous By Thread Next

Current thread: