RE: Ping Scan

["Fernando Cardoso" <fernando.cardoso () whatevernet com>]

Hi Frank

Actually a spoofed source DoS was my first thought, but since the
destination port was somewhat exotic (TCP 32165 in the packet dump you've
sent) and the host is inexistent, a idlescan seemed a better guess.

Also, from what you mentioned, unassigned IPs were seen in the destination
(BTW the one in the dump, it's assigned to a network in India, but the host
is non-existent). A SYN flood to non-existent hosts? Weird, but I guess you
can say the same for a non-existent host idlescan :)

The packets you are getting (at least the one you sent to the list) doesn't
origin from a flooded host but from a border router. This may point to an
acl applied in order to stop a DoS attack.

But these are all suppositions...

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/



> > -----Original Message-----
> > From: Fernando Cardoso [mailto:fernando.cardoso () whatevernet com]
> > Sent: Monday, September 17, 2001 3:32 AM
> >
> > I don't think you should be looking for a ping scan tool.
> > From the data you
> > sent, it seems that the box x.x.x.x tried to connect to
> > 202.46.194.5 on port
> > TCP 32165 and, [...]
>
>
> Fernando (and others),
>
> these packets can not be response packets to anything originating
> from my network since there IS NO HOST ON X.X.X.X.
> A discussion last night with Chris Morrow seems to be closer on
> track. I've been receiving these packets from about 40 different
> hosts, with the destination host varying (for the most part, again,
> unassigned IP's). These packets appear to be responses from a
> syn-flooded system with spoofed addresses (mine...*sigh*). This would
> explain the randomness of source/dest IP and time.
>
> I've seen these 'unreachables' (from/to non-existent hosts) before,
> but attributed them to a scan, rather than an attack.


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com