Firewall Wizards mailing list archives

Re: repetitive port scanning, why?

From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 5 Aug 1999 22:34:21 -0700 (PDT)

--- Fred Kreitzberg <fkreitz () rei com> wrote:

Our web store underwent a heavy port scan yesterday.  It was unusual in both
the number of scans, the port scanning pattern and the fact they scanned each
port 6 times.  They were fast too, 8600 scans in less then 2 minutes.  Is
this a new product/technique?


A SYN/stealth scan can easily run this fast. It's not even to hard to send 8600
packets in 2-seconds, much less 2-minutes.

If you are running a firewall that drops SYN packets, then a scanner assumes
that some get lost in transit. Therefore, the scanner doesn't know whether the
firewall dropped the packet, or if the packet was lost somewhere in the
Internet.

In short, this could easily be 'nmap', as well as a dozen other TCP scanners
that hit your site. Most people do 'fast' scans looking for specific port
numbers; actually scanning all possible port numbers is fairly rare.

Rob.

===
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
_____________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com

Current thread:

repetitive port scanning, why? Fred Kreitzberg (Aug 04)
- Re: repetitive port scanning, why? Siglite (Aug 05)
- Re: repetitive port scanning, why? Michael H. Warfield (Aug 06)
- <Possible follow-ups>
- Re: repetitive port scanning, why? Robert Graham (Aug 06)