Security Incidents mailing list archives

Re: port 22 scans + 53 scans

From: John Sage <jsage () finchhaven com>
Date: Mon, 08 Oct 2001 08:18:59 -0700

The tcp:53 probes seem to be some sort of distance-metrics/loadbalancing activity.


See:

http://www.incidents.org/archives/intrusions/msg00702.html

To quote:

These are likely probes to measure Round Trip Time for intelligent load
balancing using products similar to Cisco's Distributed Director
http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm

Port 53 and the SYN/ACK flags are used in an attempt to bypass router filters
and firewal rules, thus getting a true RTT to the requesting client. That
allows serving content from the best available server.

If firewalls are dropping these packets, requesting clients may experience
delays receiving the requested content. Firewalls may receive repeated probes
from  confused content cacheing clients.

A frequently cited user of the SYN/ACK probing technique is Mirror Image
http://www.mirror-image.com

See inline for a couple of NSLookups that tend to support that. John is spot
on with his observation:
All packets have the Ack value one less than the value for Seq, e.g.,
Seq: 0x1BC3D89A  Ack: 0x1BC3D899

Matt Scarborough 2001-06-10



Principle symptoms: ACK one less than SEQ for any given packet.

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


Steven S wrote:

I got 1 probe from 131.152.102.64 @ 13:57 EDT today to port 22

then a flood (81 @ present) of port 53 connection attempts within about 2
minute time span, nothing before nothing after (so far)

notice that i got two port 53 attempts in a 12+ hour period then blam!

spoofed sources?
i was forwarding these packets to from my gateway/router to another host
for analysis (this the F at the end stands for Forward) but the host is
currently down for upgrading.



Oct  6 02:03:21 gw 1525: IP[Src=62.248.158.48 Dst=xxx.xxx.xxx.xxx TCP
spo=02925 dpo=00053]}S06>R06mF
Oct  6 07:00:54 gw 1525: IP[Src=216.153.214.84 Dst=xxx.xxx.xxx.xxx TCP
spo=03997  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49722 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53496 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63217  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=57907  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13583 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51224  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37503 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54565 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
spo=39303 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48593 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37779  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57719  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57174  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52486  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18133  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15205  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21712  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55707  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40535  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48593  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37923  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48739  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57860  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18277 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49897 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53671 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63392 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13758 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58084 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15380 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51399  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37678 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54752 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
spo=39418 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57349 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52661 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21896  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55882  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40710  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53714 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37721 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54785 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63435 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13801 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15423 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49940 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58127  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51442  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57935  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37995  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48813  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57392 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18349  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52704 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21939  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55925  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40753  dpo=00053]}S06>R06mF
Oct  6 15:21:01 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48739  dpo=00053]}S06>R06mF
Oct  6 15:21:01 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57349 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48813  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54935 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48954  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53890 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37895 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63609  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15597 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13975 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=50114 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58301  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51616  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=58101  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=38161  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57566 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18515  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52878 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=22113  dpo=00053]}S06>R06mF
Oct  6 15:21:03 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=56099  dpo=00053]}S06>R06mF
Oct  6 15:21:03 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40927  dpo=00053]}S06>R06mF
Oct  6 15:21:04 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48954  dpo=00053]}S06>R06mF




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

port 22->port 22 scans Pavel Kankovsky (Oct 06)
- Re: port 22->port 22 scans spaceork (Oct 07)
- Re: port 22 scans + 53 scans Steven S (Oct 07)
  - Re: port 22 scans + 53 scans John Sage (Oct 08)
- <Possible follow-ups>
- RE: port 22->port 22 scans Dean Cunningham (Oct 07)
- Re: port 22->port 22 scans Pavel Kankovsky (Oct 13)