Security Incidents mailing list archives
Re: Ip spoof from 0.0.0.0
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Tue, 5 Nov 2002 23:14:23 -0800
On Tue, Nov 05, 2002 at 12:15:05AM -0700, Mike Lewinski wrote:
A few more data points: This scan has targeted every /24 in a /20 here. While the third and fourth octets appear random, there are a couple interesting things: 1) 1460 unique IPs have been targeted out of 2321 total deny entries. There is some duplication of effort. 2) Thus far none of the dst IPs have been above the /25 boundary in each /24. If the fourth octet scan is actually limited to 0-127, then ~70% of the possible targets here have been chosen at least once. A time distribution sample across the 4th octet looks like this: Nov 1 07:56:54 MST x.y.92.0 Nov 1 12:44:08 MST x.y.83.0 Nov 1 15:59:31 MST x.y.84.0 Nov 1 17:10:40 MST x.y.80.0 Nov 1 23:02:18 MST x.y.91.0 Nov 1 23:03:11 MST x.y.81.0 Nov 2 16:24:15 MST x.y.91.0 Nov 2 18:10:17 MST x.y.95.0 Nov 2 22:24:18 MST x.y.86.0 Nov 3 12:09:46 MST x.y.85.0 Nov 4 07:26:20 MST x.y.84.0 Nov 4 19:10:54 MST x.y.94.0 Nov 4 20:38:13 MST x.y.85.0 Nov 4 21:15:37 MST x.y.84.0 Across the 3rd octet it looks like this: Nov 4 00:27:30 MST x.y.84.119 Nov 4 00:41:48 MST x.y.84.61 Nov 4 00:57:01 MST x.y.84.18 Nov 4 02:03:55 MST x.y.84.88 Nov 4 02:26:48 MST x.y.84.41 Nov 4 02:46:15 MST x.y.84.98 Nov 4 05:06:20 MST x.y.84.2 Nov 4 05:24:50 MST x.y.84.51 Nov 4 06:09:48 MST x.y.84.7 Nov 4 06:30:17 MST x.y.84.50 Nov 4 07:20:39 MST x.y.84.110 Nov 4 07:25:42 MST x.y.84.69 Nov 4 07:26:20 MST x.y.84.0 Nov 4 08:13:32 MST x.y.84.55 Nov 4 08:25:58 MST x.y.84.46 Nov 4 10:54:05 MST x.y.84.4 Nov 4 11:32:05 MST x.y.84.87 Nov 4 12:28:25 MST x.y.84.117 Nov 4 12:38:27 MST x.y.84.91 Also, our logs show only a single packet denied in every instance. Perhaps the payload is intended to DoS the victim per this: http://online.securityfocus.com/archive/1/256830
Huh? We still talking about TCP SYN packets from 0.0.0.0 source address to 445/tcp? If the source address is 0.0.0.0, i.e. an address that a response (if the receiver is even broken enough to send a responce in the first place) can never get to, how can an "attacker" ever hope to deliver a payload? You can't finish the TCP handshake. If this is a scanner or DoS attempt of some kind, the tool doing it is broken (*shock* broken k1dd13 t00lz?). There is no way it can do either. These remind me of those, 255.255.255.255:31337 -> a.b.c.d:515 SYN packets you still see from time to time. More amusing than anything else. If anyone really knows what generates any of these, I'd love to know, but I'm not losing any sleep over it. -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 04)
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Message not available
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 05)
- Re: Ip spoof from 0.0.0.0 Crist J. Clark (Nov 06)
- Message not available
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- <Possible follow-ups>
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
- Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
- Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
- Re: Ip spoof from 0.0.0.0 batz (Nov 07)