Security Incidents mailing list archives

Re: scans on ports 3072 and 1024, why?

From: Aaron Schultz <aaron () POWERTRIP NET>
Date: Thu, 28 Dec 2000 17:06:26 -0800

If I may be so bold as to request that anyone with information about
DALnet related attacks and incidents include me in their correspondence
and forward any logs.  Thank you all in advance for your assistance.

Quick background on what's been happening:
Starting around December 5th, DALnet has been hit with large
attacks.  These attacks have been able to take some large ISPs completely
offline (ie: multiple T3 connections, etc).

I'd like to start working with any of you who have logs like the ones
reported.  The logs I'm interested in are from December which indicate
connections to multiple DALnet addresses.

Theory on what some of you may be seeing:  To produce attacks of the size
we've seen, it would take a lot of compromised hosts.  Some of the hosts
you may see in your logs attempting to connect to IRC servers in sequence
may indicate a compromised host.

My association with DALnet can be verified though:
- whois dal.net - note DNS servers
- whois powertrip.net - note my contact info (AS508)
..or e-mail dalvenjah () dal net directly if you feel more comfortable.

Thanks again.

- Aaron Schultz
- aaron () powertrip net
------

On Thu, 28 Dec 2000, Conor McGrath wrote:

Bill_Royds () pch gc ca once said:

We have been getting the same traffic hitting our firewall. More interestingly
it is being sent to non-existent hosts behind our firewall  which could never
have sent the original packets and we do not allow IRC out anyway. It could be
replies to spoofed packets or a way of probing for servers.
Here are some firewall logs (sanitized as to our address) showing this:


logfile.20001224:Dec 24 16:15:58.327 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(dalnet.away.net[199.173.178.1]->server.seg.ip.83: Protocol=TCP[SYN ACK] Port


[snip most of the logs]



There are many more like this.


I don't suppose you managed to capture any of those packets, did you?  Due
to privacy concerns, I am not allowed to capture packets as they come in
over our gateway.  Of course, I can capture anything that comes directly
to my machine, but they haven't hit me directly since before my awareness
was raised.  I'd be suspicious but we do have an entire Class B network
and I only have a few machines for which I'm personally responsible, and
if these are scans, they are fairly slow (never any more than two hundred
an hour per host).  I've seen people do ftp scans of 35k+ on us in an hour.
We tend to notice those right away  :-)

--

Conor McGrath                                           Phone: (773)702-7611
Network Security Officer                                Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

Current thread:

scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 29)
  - Re: scans on ports 3072 and 1024, why? Ryan W. Maple (Dec 30)
- Re: scans on ports 3072 and 1024, why? Ulrich Eckhardt (Dec 29)
- <Possible follow-ups>
- Re: scans on ports 3072 and 1024, why? Bill Royds (Dec 28)
  - Re: scans on ports 3072 and 1024, why? Conor McGrath (Dec 28)
    - Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 29)
    - Re: scans on ports 3072 and 1024, why? Aaron Schultz (Dec 30)
    - Re: scans on ports 3072 and 1024, why? Jonas Luster (Dec 30)
- Re: scans on ports 3072 and 1024, why? Sean Brown (Dec 30)