Security Incidents mailing list archives
Re: Large scans in progress...
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 14 Sep 2000 10:32:25 +1200
On Tue, 12 Sep 2000 14:34:08 -0700 UnixGeek <ed () XWING CENTIGRAM COM> wrote:
Just an FYI: Seems large chunks of various netblocks are being scanned from Israel, currently, from IP 62.0.56.66(does not appear to be a multi-host, coordinated scan).
Hmmm... since you mention this I have detected another, probably widespread, scan which I believe to be coordinated from the same address block. This scan is extremely sneaky and difficult to detect unless you are actually looking for it. I first noticed this activity in May and reported it to AusCERT, Netvision.net.il and Israel Academic CERT as a distributed scan involving many Israeli ISPs. What I first saw was a trickle of POP and IMAP probes 10-20 per day from 62.0.55.65. When I looked closer I realized that there were lots of probes for POP and IMAP all with the same last octet in the IP address. What is more all these probes appeared to be sourced from various Israeli ISPs. These other addresses changed regularly (about every half hour) typically we would see no more than half a dozen probes from any individual address. By examining the logs I deduced that there were two processes running each changing addresses every half hour. I was assured by various people that there was no one place where anyone could see all the responses for these probes and that since most of the addresses were dial up addresses they could not be compromised hosts being used in a distributed scan. So I revised my conclusion that this was a scan from 62.0.55.65 with a large amount of decoy traffic. I did not like this conclusion because it seemed stupid to have the decoy traffic at such a low level that most sites would never notice it even it they did notice the traffic from 62.0.55.65 which was only 10-20 probes per day -- well under most detection thresholds. The traffic eventually stopped after a couple of weeks by which time most of our network had been probed. A few days ago I again picked up low level scanning from 62.0.55.65 and again looked to see if it was accompanied the 'decoy traffic'. It was. I notified netvision and The Israeli Security Information Exchange Forum. I got one response from Israel (I'm not sure if the person concerned would want to be identified so I won't name them) pointing out that all the ISP involved in the latest incident were members of Bezeq's 135 anonymous dial in system. Hebrew site: http://www.bezeqnet.co.il/ I quote the original message: <quote> basically, 135 is what a user dials, brings up their browser and gets connected to a selection menu of dozens of ISPs. Once the user selects the ISP of choice, the system establishes a PPP connection and an IP address is assigned from the NAT pool of the ISP. The user can hide behind this anonymous system and only a court order would get Bezeq started in trying to match up the IP address, time of day to the physical phone that was used. </quote> So here is what I think is happening: The blackhat has a couple of modems controlled by a single machine they both dial into the 135 system and start scanning a large block (say 130/8) randomly varying the 2nd and 3rd octet so not too many packets hit any one network at any time -- nmap will probably do that. Every half hour you drop your connection and reconnect to another ISP and continue. This way even if you have a /16 net you will only see 4 or 5 packets from any particular address block in a any day. If this is so then why so they give it away by reusing 62.0.55.65? If they had not done that then I may well have never noticed the activity at all. I suspect the operation is being launched from 62.0.55.65 and they could not resist the temptation to do some low level probing from there as well believing that the level would be so low that no one would notice. The recent traffic stopped shortly after (about an hour or two) I mailed Netvision. I have not received any response from Netvision. Cheers, Russell.
Current thread:
- Large scans in progress... UnixGeek (Sep 13)
- Re: Large scans in progress... Russell Fulton (Sep 14)
- Re: Large scans in progress... Russel Smith (Sep 14)
- Re: Large scans in progress... Ryan Russell (Sep 14)
- Re: Large scans in progress... Jon Lewis (Sep 14)
- Re: Large scans in progress... Russell Fulton (Sep 14)