Security Incidents mailing list archives

New or Variant Port 109 Scans

From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Mon, 15 May 2000 18:40:42 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The foo:0 > bar:109 scans reported here last week appear to have tapered
off (I haven't seen any since late last week, at any rate).  Since
they stopped, however, a different flavour of scan directed at port 109
has started.

The distinguishing features of this scan appear to be:

        -Fixed ports.  Both source and destination ports are always 109
        -Sequential.  Scan advances sequentially across 24 bit networks
        -Fast.  Dozens of hosts are scanned per second.
        -Crafted.  Discussed below.

The individual packets look something like:

958207524.008007 a.b.c.d.109 > x.y.z.n.109: SF 258008281:258008281(0) win 1028
   4500 0028 9a02 0000 ..06 .... .... ....
   .... .... 006d 006d 0f60 e4d9 5861 38bb
   5003 0404 .... 0000 0000 0000 0000
958207524.028349 a.b.c.d.109 > x.y.x.{n+1}.109: SF 258008281:258008281(0) win 1028
   4500 0028 9a02 0000 ..06 .... .... ....
   .... .... 006d 006d 0f60 e4d9 5861 38bb
   5003 0404 .... 0000 0000 0000 0000

Note that the IP ID, the TCP sequence number and the ACK all remain constant.
They have remained constant in all packets in each instance of the scan
I've observed, but are never the same in different scan instances[0].

I've observed a couple scans fitting this profile, but not as many as
the foo:0 > bar:109 scans last week.  The two scans are similar in that
they are both:

        -Directed at port 109
        -Both the SYN and FIN flags are set
        -Maintain constant IP ID and TCP sequence numbers during a scan

They are dissimilar in that:

        -Source ports are different
        -ACK is set in second scan
        -Second scan hits sequential IP addresses much more rapidly

Interestingly, none of the sensors that picked up the foo:0 > bar:109 scans
have seen the foo:109 > bar:109 scans, and the converse is also true.

- -Steve

- -----
0     I.e., the scanner appears to pick these values once per scan, but they
      are not hardcoded.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5IKbuG3kIaxeRZl8RAld+AJ9fNz1jZh+hErQNDVaSkuEc7+MWzgCg+rjZ
su+bu4+ONGotjdi3RQjpvrI=
=wGPy
-----END PGP SIGNATURE-----

Current thread:

Re: Automated, Distributed Port Scan, (continued)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
  - Re: Automated, Distributed Port Scan Jose Nazario (May 10)
  - IP Black list? Stuart Staniford (May 11)
    - Re: IP Black list? Travis Pugh (May 15)
    - Re: IP Black list? Jose Nazario (May 15)
    - Re: IP Black list? Paul L Schmehl (May 15)
    - Re: IP Black list? Travis Pugh (May 16)
    - Re: IP Black list? Sebastien Berube (May 15)
    - Odd scans of tcp port 12345 Russell Fulton (May 15)
    - Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
    - New or Variant Port 109 Scans Stephen P. Berry (May 15)
    - Re: IP Black list? Patrick van Zweden (May 15)
    - TCP low port scan Jose Nazario (May 15)
    - Re: IP Black list? Joe McAlerney (May 15)
    - Re: IP Black list? Omachonu Ogali (May 15)
    - Re: IP Black list? Emre (May 15)
    - Re: IP Black list? Ex Machina (May 15)
    - Re: IP Black list? Keith Owens (May 16)
- Re: Automated, Distributed Port Scan Ed Padin (May 09)
- Re: Automated, Distributed Port Scan Antonio Montes (May 10)