Security Incidents mailing list archives
Mysterios s...l...o...w SYN&FIN/FIN/NULL scan
From: Mike Blomgren <mike.blomgren () ccnox com>
Date: Thu, 23 Nov 2000 12:22:18 +0100
[To the Listowner: I'm subscribed to the list att another e-mail adress, but don't want to reveal whom I'm speaking about. I'd really appreciate if you could forward this to the list anyway.] We have for the last several weeks been hit by a mysteriously slow scan. However, it isn't a regular portscan, and doesn't cause any problems - other than that our IDS detects and logs them. We just don't know what it is, what they're looking for, and why it keeps coming... Key issues: * The the target machine is always the same. * The destination port is always 0. * The sourceport is always 5635. * The TCP Flags are one of 3 combinations: SYN & FIN, just FIN, or NULL (no flags set at all) * Here's the funny part: The source machine is always in one of three adjacent C-class adresses, eminating from a large European ISP. The Source IP's always resolve to a FQDN, obviuously belonging to some sort of dial-up (i.e. ppp132.dialup.<big ISP>.<same country as us>). (No, they have not responded to our queries.) * Each combination of the above, is seen only once. For example, if a specific src ip has sent three packets with one of each (SYN&FIN, FIN & NULL) - we don't see the same source IP again. * The packets usually come 3-4 at a time. Seldomely more than 15 in one burst. Each packet is usully a minute or so apart. Sometimes they have different src IP's, within the same 'burst'. The bursts range from roughly 12 to 72 hours between each. * The packets can come at any time of the day. The target is a unix based webbserver running a fairly large 'public' application. (Details can be sent offlist). Naturally it's behind a firewall, only allowing incoming HTTP & HTTPS. Our theories are: * Some sort of spoofed scan, using our host to 'bounce' the scan towards the dial-up customers of the ISP. * Ours host is compromised. Hmmm. Unlikely... * A scan to try and determine our firewall rules. (I'd assume we'd also see ACK packets then) * Something else.... We really see no reason for this type of scan, and are just very curious to what it can be. Any ideas or pointers are welcome. Regards, ~Mike
Current thread:
- Mysterios s...l...o...w SYN&FIN/FIN/NULL scan Mike Blomgren (Nov 24)
- <Possible follow-ups>
- Re: Mysterios s...l...o...w SYN&FIN/FIN/NULL scan Joe Stewart (Nov 28)