Network probing from Tehran...

["Fergie" <fergdawg () netzero net>]

Came into work this morning and reviewing IDS logs from
the weekend...

Happens all the time, mostly from China, but this is the
first I've seen from Iran -- at least in a while. ;-)

I'm guessing that sending an abuse/alert note would probably
go unanswered... :-)

- ferg


[snip]

Description:
Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST
flags set has been sent to a specific host. This is indicative that a
reconnaissance sweep of your network may be in progress. The use of this
type of packet indicates an attempt to conceal the sweep. This may be the
prelude to a more serious attack. 

This should never occur in legitimate traffic. The source of this packet
should be shunned.


> Winters-IDS reported a high severity alert at 12/10/2005 10:13:04
> Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.73.128
> Actions taken: None
>
> ----------------------------------------------------
>
> Winters-IDS reported a high severity alert at 12/10/2005 10:09:51
> Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.131.111
> Actions taken: None
>
> ----------------------------------------------------
>
> Winters-IDS reported a high severity alert at 12/10/2005 10:07:40
> Signature TCP NULL Packet (3040:0) from 62.220.106.138 to x.x.108.64
> Actions taken: None
>
> ----------------------------------------------------



[IPv4 whois information for 62.220.106.138 ]
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '62.220.96.0 - 62.220.107.255'

inetnum:      62.220.96.0 - 62.220.107.255
netname:      TAKTA-NET
descr:        Soroush Interactive Network
country:      IR
admin-c:      AA2755-RIPE
tech-c:       AHR
tech-c:       MOH3-RIPE
status:       ASSIGNED PA
mnt-by:       SINET-MNT
changed:      hostmaster () ripe net 20011025
changed:      registry () tehran sinet ir 20040212
source:       RIPE

person:       Ahmad Akbarshahi
address:      ParsaTek Company
address:      APT#450, Bahar Building,
address:      Bahar Street, Tehran - Iran
phone:        +98 21 8301883
phone:        +98 21 8301884
fax-no:       +98 21 8311505
e-mail:       a.akbarshahi () parsatek com
e-mail:       akbarshahi () yahoo com
nic-hdl:      AA2755-RIPE
notify:       akbarshahi () yahoo com
mnt-by:       SINET-MNT
changed:      akbarshahi () takta net 20010919
changed:      registry () tehran sinet ir 20040212
changed:      registry () tehran sinet ir 20041125
source:       RIPE

person:       Mohammad Mofatteh
address:      Takta.NET
address:      No.14, Mollasadra St.
address:      Tehran - IRAN
phone:        +98 21 830 1883
phone:        +98 21 830 1884
fax-no:       +98 21 831 1505
e-mail:       mofatteh () gmail com
e-mail:       mohammad () tehran sinet ir
e-mail:       registry () tehran sinet ir
e-mail:       mohammad () takta net
notify:       mofatteh () gmail com
nic-hdl:      MOH3-RIPE
mnt-by:       MNT-MOHAMMAD
changed:      registry () takta net 20010513
changed:      registry () tehran sinet ir 20030212
changed:      mohammad () tehran sinet ir 20040219
changed:      mohammad () tehran sinet ir 20040608
source:       RIPE

person:       Amir Hassan Rasti
address:      Institute for Studies in Theoretical Physics
address:      and Mathematics (IPM)
address:      P.O.Box 19395-1795
address:      Tehran, Iran
phone:        +98 21 2291812
fax-no:       +98 21 2298656
e-mail:       amir () nic ir
notify:       amir () nic ir
mnt-by:       SHARIF-EDU-MNT
nic-hdl:      AHR
changed:      amir () nic ir 20040501
source:       RIPE

% Information related to '62.220.96.0/19AS21341'

route:        62.220.96.0/19
descr:        Soroush Rasaneh Institute
origin:       AS21341
mnt-by:       SINET-MNT
changed:      akbarshahi () takta net 20020107
changed:      mohammad () tehran sinet ir 20040212
source:       RIPE

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.