Security Incidents mailing list archives
Re: port 22 scans + 53 scans
From: John Sage <jsage () finchhaven com>
Date: Mon, 08 Oct 2001 08:18:59 -0700
The tcp:53 probes seem to be some sort of distance-metrics/load balancing activity.
See: http://www.incidents.org/archives/intrusions/msg00702.html To quote:
These are likely probes to measure Round Trip Time for intelligent load balancing using products similar to Cisco's Distributed Director http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm Port 53 and the SYN/ACK flags are used in an attempt to bypass router filters and firewal rules, thus getting a true RTT to the requesting client. That allows serving content from the best available server. If firewalls are dropping these packets, requesting clients may experience delays receiving the requested content. Firewalls may receive repeated probes from confused content cacheing clients. A frequently cited user of the SYN/ACK probing technique is Mirror Image http://www.mirror-image.com See inline for a couple of NSLookups that tend to support that. John is spot on with his observation: All packets have the Ack value one less than the value for Seq, e.g., Seq: 0x1BC3D89A Ack: 0x1BC3D899 Matt Scarborough 2001-06-10
Principle symptoms: ACK one less than SEQ for any given packet. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." Steven S wrote:
I got 1 probe from 131.152.102.64 @ 13:57 EDT today to port 22 then a flood (81 @ present) of port 53 connection attempts within about 2 minute time span, nothing before nothing after (so far) notice that i got two port 53 attempts in a 12+ hour period then blam! spoofed sources? i was forwarding these packets to from my gateway/router to another host for analysis (this the F at the end stands for Forward) but the host is currently down for upgrading. Oct 6 02:03:21 gw 1525: IP[Src=62.248.158.48 Dst=xxx.xxx.xxx.xxx TCP spo=02925 dpo=00053]}S06>R06mF Oct 6 07:00:54 gw 1525: IP[Src=216.153.214.84 Dst=xxx.xxx.xxx.xxx TCP spo=03997 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP spo=49722 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP spo=53496 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP spo=63217 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP spo=57907 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP spo=13583 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP spo=51224 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP spo=37503 dpo=00053]}S06>R06mF Oct 6 15:20:56 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP spo=54565 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP spo=39303 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48593 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP spo=37779 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP spo=57719 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP spo=57174 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP spo=52486 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP spo=18133 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP spo=15205 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP spo=21712 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP spo=55707 dpo=00053]}S06>R06mF Oct 6 15:20:57 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP spo=40535 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48593 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP spo=37923 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48739 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP spo=57860 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP spo=18277 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP spo=49897 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP spo=53671 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP spo=63392 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP spo=13758 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP spo=58084 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP spo=15380 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP spo=51399 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP spo=37678 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP spo=54752 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP spo=39418 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP spo=57349 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP spo=52661 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP spo=21896 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP spo=55882 dpo=00053]}S06>R06mF Oct 6 15:20:59 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP spo=40710 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP spo=53714 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP spo=37721 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP spo=54785 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP spo=63435 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP spo=13801 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP spo=15423 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP spo=49940 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP spo=58127 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP spo=51442 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP spo=57935 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP spo=37995 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48813 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP spo=57392 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP spo=18349 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP spo=52704 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP spo=21939 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP spo=55925 dpo=00053]}S06>R06mF Oct 6 15:21:00 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP spo=40753 dpo=00053]}S06>R06mF Oct 6 15:21:01 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48739 dpo=00053]}S06>R06mF Oct 6 15:21:01 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP spo=57349 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48813 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP spo=54935 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48954 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP spo=53890 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP spo=37895 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP spo=63609 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP spo=15597 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP spo=13975 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP spo=50114 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP spo=58301 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP spo=51616 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP spo=58101 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP spo=38161 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP spo=57566 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP spo=18515 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP spo=52878 dpo=00053]}S06>R06mF Oct 6 15:21:02 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP spo=22113 dpo=00053]}S06>R06mF Oct 6 15:21:03 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP spo=56099 dpo=00053]}S06>R06mF Oct 6 15:21:03 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP spo=40927 dpo=00053]}S06>R06mF Oct 6 15:21:04 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP spo=48954 dpo=00053]}S06>R06mF
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- port 22->port 22 scans Pavel Kankovsky (Oct 06)
- Re: port 22->port 22 scans spaceork (Oct 07)
- Re: port 22 scans + 53 scans Steven S (Oct 07)
- Re: port 22 scans + 53 scans John Sage (Oct 08)
- <Possible follow-ups>
- RE: port 22->port 22 scans Dean Cunningham (Oct 07)
- Re: port 22->port 22 scans Pavel Kankovsky (Oct 13)