Re: Sudden increase in scans.

[Joe McAlerney <joey () SILICONDEFENSE COM>]

I wonder if it's because the scanner is attempting to ping your network
before the actual scan is started.  If you stop ICMP at the router, nmap
scans _shouldn't_ occur unless -P0 (disable ping) or -PT (TCP ping) is
used.  There's more information in the nmap man page.

-Joe M.

Jason Lewis wrote:
> I don't know why this made me think of it but.....
>
> I haven't had ANY scans, since I disabled pinging internal machines from
> my router.  ZERO!  I used to get loads of scans ALL the time.  They have
> stopped completely.  To test my theory, I am going to re-enable ping to
> public server and see what happens.
>
> What does everyone think of disabling ICMP at the router?
>
> Jas
> http://www.jasonlewis.net
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Rune Kristian Viken
> Sent: Thursday, July 20, 2000 5:08 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Sudden increase in scans.
>
> There has suddenly been an enourmous increase of scans aimed at my
> network.  It
> started 14 / 07 has been increasing ever since.
>
> It started out with a single 'socks' scan the 14'th.  Then socks(again)
> and
> sunrpc the 15th, ftp and dns the 16th.. then it exploded
>
> The 17th, we had the following scans:
>
> 2. scans of port 1243 with 11 mins in between
> 1. scan of port 20034
> 30(!). scans of port 5500 , starting out at 17:30 (local time) and
> proceding
> with intervals from 5 mins to 30 minutes throuhgout the day
>
> 18th:
>
> 47. scans of port 5500 from 00:00 to 11:12 (!!)
> 1. scan of 400
>
> 19:
> 3. scans of port 5500, not at a specific time
> 2. scans of port 2835 (within 10 seconds)
>
> --
> "Rune Kristian Viken" <rune () trans4media com>
> <http://arcade.kvinesdal.com>
> System, Network & Security Administrator.  Phone: (+47) 92 85 34 38