Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

tcp ping scan to broadcast addresses

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Mon, 12 Jun 2000 11:03:36 +1200

Greetings All,
             Came across something different during the weekend.  What
appears to be a standard nmap tcp scan (dst port 80, packets have ACK
flag set) but directed to the /24 broadcast addresses (0 and 255) in
our /16 net.

Here is the argus logs.  E indicates that this packet belongs to an
established session i.e. it had ACK set.  (130.216.0.0/16 is our net).
First two counts are to and from packets next two counts are bytes.

11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.2.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.3.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.4.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.6.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.7.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.8.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>   130.216.9.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.11.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.12.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.13.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.14.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.15.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325 <|   130.216.16.255.80    1      10      0         0        ER

Hmmmm.... 10 resets sent from subnet 16

11 Jun 00 23:21:29      tcp 142.176.129.229.38325 <|   130.216.17.255.80    1      2       0         0        ER
11 Jun 00 23:21:29      tcp 255.255.255.255.80     ?> 142.176.129.229.38325 626    0       0         0        FR

Ouch! 625 RST packets from 255.255.255.255 -- will be blocked at our gateway.

11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.20.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp 142.176.129.229.38325  ?>  130.216.21.255.80    1      0       0         0        E
11 Jun 00 23:21:29      tcp  130.216.55.122.80     ?> 142.176.129.229.38325 22     0       0         0        FR
11 Jun 00 23:21:29      tcp  130.216.22.146.80     ?> 142.176.129.229.38325 21     0       0         0        FR
11 Jun 00 23:21:29      tcp   130.216.12.91.80     ?> 142.176.129.229.38325 17     0       0         0        FR

Now we are getting individual machines responding with lots of RSTs.

Some machines responded with ICMP timeouts and routers with various
Unreachable messages.

The scan went right through all /24s and then 20 minutes later started
over again on address 0.  We block icmp and udp to broadcast addresses
looks like we should also do so for tcp.

This looks like another potential traffic ampliphier although not as
effective as ICMP ECHO or udp 137.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.
Previous By Date Next
Previous By Thread Next

Current thread: