Security Incidents mailing list archives
New or Variant Port 109 Scans
From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Mon, 15 May 2000 18:40:42 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The foo:0 > bar:109 scans reported here last week appear to have tapered off (I haven't seen any since late last week, at any rate). Since they stopped, however, a different flavour of scan directed at port 109 has started. The distinguishing features of this scan appear to be: -Fixed ports. Both source and destination ports are always 109 -Sequential. Scan advances sequentially across 24 bit networks -Fast. Dozens of hosts are scanned per second. -Crafted. Discussed below. The individual packets look something like: 958207524.008007 a.b.c.d.109 > x.y.z.n.109: SF 258008281:258008281(0) win 1028 4500 0028 9a02 0000 ..06 .... .... .... .... .... 006d 006d 0f60 e4d9 5861 38bb 5003 0404 .... 0000 0000 0000 0000 958207524.028349 a.b.c.d.109 > x.y.x.{n+1}.109: SF 258008281:258008281(0) win 1028 4500 0028 9a02 0000 ..06 .... .... .... .... .... 006d 006d 0f60 e4d9 5861 38bb 5003 0404 .... 0000 0000 0000 0000 Note that the IP ID, the TCP sequence number and the ACK all remain constant. They have remained constant in all packets in each instance of the scan I've observed, but are never the same in different scan instances[0]. I've observed a couple scans fitting this profile, but not as many as the foo:0 > bar:109 scans last week. The two scans are similar in that they are both: -Directed at port 109 -Both the SYN and FIN flags are set -Maintain constant IP ID and TCP sequence numbers during a scan They are dissimilar in that: -Source ports are different -ACK is set in second scan -Second scan hits sequential IP addresses much more rapidly Interestingly, none of the sensors that picked up the foo:0 > bar:109 scans have seen the foo:109 > bar:109 scans, and the converse is also true. - -Steve - ----- 0 I.e., the scanner appears to pick these values once per scan, but they are not hardcoded. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5IKbuG3kIaxeRZl8RAld+AJ9fNz1jZh+hErQNDVaSkuEc7+MWzgCg+rjZ su+bu4+ONGotjdi3RQjpvrI= =wGPy -----END PGP SIGNATURE-----
Current thread:
- Re: Automated, Distributed Port Scan, (continued)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- New or Variant Port 109 Scans Stephen P. Berry (May 15)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: IP Black list? Patrick van Zweden (May 15)
- TCP low port scan Jose Nazario (May 15)
- Re: IP Black list? Joe McAlerney (May 15)
- Re: IP Black list? Omachonu Ogali (May 15)
- Re: IP Black list? Emre (May 15)
- Re: IP Black list? Ex Machina (May 15)
- Re: IP Black list? Keith Owens (May 16)