Re: Scan combining internal/external

[Rich Puhek <rpuhek () etnsystems com>]

"Stephen W. Thompson" wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yesterday afternoon I saw apparently-coordinated scans which
> absolutely confuse me.  I'd appreciate hearing from anyone who has
> seen anything similar or who has a likely explanation.
>
> First, I have my main machine which has Linux with an ipchains
> firewall.  On the same subnet I have a linux box with a non-recent
> Snort IDS configuration monitoring the subnet.
>
> The logs below show:
>  1) My ipchains logs showing several of *our* machines from diverse
>     subnets making from 1 to 6 connection attempts to *my* personal
>     machine, the first at 15:18, then a bunch from 16:29 to 16:31:50.
>     All but the first have source port tcp/6667 to various destination
>     ports.
>  2) Snort logs revealing a scan by an external IP of many machines on
>     my subnet, source and destination ports tcp/6667, lasting from
>     16:31:46 to 16:31:47.

Are you ingress filtering? (Does your router block incoming packets with
source IP address = your subnets?). If not, I'd suggest doing so.
ipchains is fine and good, but ingress filtering will prevent bad guys
from pretending to be from your network.

Could be the attacker is not real sophisticated, and is doing something
like:

nmap -sS -g 6667 -Dyour_ip_1,your_ip_2,your_ip_3  your_target_machine

which is really pretty pointless, since you've easily identified the
source of the scan...

_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com