Security Incidents mailing list archives
Re: Ip spoof from 0.0.0.0
From: Mike Lewinski <mike () rockynet com>
Date: Tue, 05 Nov 2002 00:15:05 -0700
A few more data points:This scan has targeted every /24 in a /20 here. While the third and fourth octets appear random, there are a couple interesting things:
1) 1460 unique IPs have been targeted out of 2321 total deny entries. There is some duplication of effort.
2) Thus far none of the dst IPs have been above the /25 boundary in each /24. If the fourth octet scan is actually limited to 0-127, then ~70% of the possible targets here have been chosen at least once.
A time distribution sample across the 4th octet looks like this: Nov 1 07:56:54 MST x.y.92.0 Nov 1 12:44:08 MST x.y.83.0 Nov 1 15:59:31 MST x.y.84.0 Nov 1 17:10:40 MST x.y.80.0 Nov 1 23:02:18 MST x.y.91.0 Nov 1 23:03:11 MST x.y.81.0 Nov 2 16:24:15 MST x.y.91.0 Nov 2 18:10:17 MST x.y.95.0 Nov 2 22:24:18 MST x.y.86.0 Nov 3 12:09:46 MST x.y.85.0 Nov 4 07:26:20 MST x.y.84.0 Nov 4 19:10:54 MST x.y.94.0 Nov 4 20:38:13 MST x.y.85.0 Nov 4 21:15:37 MST x.y.84.0 Across the 3rd octet it looks like this: Nov 4 00:27:30 MST x.y.84.119 Nov 4 00:41:48 MST x.y.84.61 Nov 4 00:57:01 MST x.y.84.18 Nov 4 02:03:55 MST x.y.84.88 Nov 4 02:26:48 MST x.y.84.41 Nov 4 02:46:15 MST x.y.84.98 Nov 4 05:06:20 MST x.y.84.2 Nov 4 05:24:50 MST x.y.84.51 Nov 4 06:09:48 MST x.y.84.7 Nov 4 06:30:17 MST x.y.84.50 Nov 4 07:20:39 MST x.y.84.110 Nov 4 07:25:42 MST x.y.84.69 Nov 4 07:26:20 MST x.y.84.0 Nov 4 08:13:32 MST x.y.84.55 Nov 4 08:25:58 MST x.y.84.46 Nov 4 10:54:05 MST x.y.84.4 Nov 4 11:32:05 MST x.y.84.87 Nov 4 12:28:25 MST x.y.84.117 Nov 4 12:38:27 MST x.y.84.91 Also, our logs show only a single packet denied in every instance. Perhaps the payload is intended to DoS the victim per this: http://online.securityfocus.com/archive/1/256830 Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 04)
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Message not available
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 05)
- Re: Ip spoof from 0.0.0.0 Crist J. Clark (Nov 06)
- Message not available
- Re: Ip spoof from 0.0.0.0 Olaf Schreck (Nov 04)
- Re: Ip spoof from 0.0.0.0 Pavel Kankovsky (Nov 06)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- <Possible follow-ups>
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
- Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
- Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
- Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)