Security Incidents mailing list archives
Distributed slow scan?
From: "A.L.Lambert" <alambert () EPICREALM COM>
Date: Thu, 16 Nov 2000 13:37:13 -0600
I'm seeing some strange traffic, that looks to me like a distributed slow scan. Packet sig example: xx/xx-xx:xx:xx x:x:x:x:x:x -> x:x:x:x:x:x type:0x800 len:0x3C xxx.xxx.xxx.xxx:80 -> xxx.xxx.xxx.xxx:80 TCP TTL:54 TOS:0x0 ID:28446 ******A* Seq: 0x3B5 Ack: 0x0 Win: 0x400 TYPE, ACK, LEN, and TOS are always the same value, but SEQ and ID appear random. Now, I note the src == dst, but the ID: doesn't match the "Mystery Tool 11" (it seems random actually), nor does the distributed method seem indicitave of the afforementioned Mystery Tool. Other things worthy of note: Source IP's are all over the map, but I have noticed a few that seem to be scattered in the same netblock. A single src addr will hit a host in say, 63.x.x.x, another in 216.x.x.x, and another in 62.x.x.x, etc. at a fairly rapid rate (usually a packet every 30-90 seconds) but a single src addr will never hit two hosts in the same netblock). Cross-referencing the source IP's in my IDS history log's reveals no history of abuse from either the specific source host's, nor the netblocks they originate from. Ummm... I think that's all I can think of at the moment. I'll definitely be investigating this more, but I thought I might throw it out to the list and let some sharper wits than mine have a look at it, and maybe get some interesting feedback. Cheers! --A.L.Lambert
Current thread:
- Distributed slow scan? A.L.Lambert (Nov 18)