Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Mysterios s...l...o...w SYN&FIN/FIN/NULL scan

From: Mike Blomgren <mike.blomgren () ccnox com>
Date: Thu, 23 Nov 2000 12:22:18 +0100
[To the Listowner: I'm subscribed to the list att another e-mail
adress, but don't want to reveal whom I'm speaking about. I'd really
appreciate if you could forward this to the list anyway.]

We have for the last several weeks been hit by a mysteriously slow
scan. However, it isn't a regular portscan, and doesn't cause any
problems  - other than that our IDS detects and logs them. We just
don't know what it is, what they're looking for, and why it keeps
coming...

Key issues:
* The the target machine is always the same.
* The destination port is always 0.
* The sourceport is always 5635.
* The TCP Flags are one of 3 combinations: SYN & FIN, just FIN, or NULL
(no flags set at all)
* Here's the funny part: The source machine is always in one of three
adjacent C-class adresses, eminating from a large European ISP. The
Source IP's always resolve to a FQDN, obviuously belonging to some sort
of dial-up (i.e. ppp132.dialup.<big ISP>.<same country as us>). (No,
they have not responded to our queries.)
* Each combination of the above, is seen only once. For example, if a
specific src ip has sent three packets with one of each (SYN&FIN, FIN &
NULL) - we don't see the same source IP again.
* The packets usually come 3-4 at a time. Seldomely more than 15 in one
burst. Each packet is usully a minute or so apart. Sometimes they have
different src IP's, within the same 'burst'. The bursts range from
roughly 12 to 72 hours between each.
* The packets can come at any time of the day.

The target is a unix based webbserver running a fairly large 'public'
application. (Details can be sent offlist). Naturally it's behind a
firewall, only allowing incoming HTTP & HTTPS.

Our theories are:

* Some sort of spoofed scan, using our host to 'bounce' the scan
towards the dial-up customers of the ISP.
* Ours host is compromised. Hmmm. Unlikely...
* A scan to try and determine our firewall rules. (I'd assume we'd also
see ACK packets then)
* Something else....

We really see no reason for this type of scan, and are just very
curious to what it can be. Any ideas or pointers are welcome.

Regards,

~Mike
Previous By Date Next
Previous By Thread Next

Current thread: