Security Incidents mailing list archives
Re: Odd UPD scan
From: billp () ROCKETCASH COM (Bill Pennington)
Date: Thu, 16 Mar 2000 22:14:57 -0800
I have seen the same around the networks I watch lately. Since it didn't seem like a scan I had seen before (most scans for Netbios have a high source port) I hae just been ignoring them. I had also noticed that they come in bunches then disappear so I chalked it up to something misconfigured somewhere. I would be interested if anyone has other ideas about this. David Meissner wrote:
For several weeks now I've noticed scans of UDP port 137, but the odd thing is that the source address is spoofed as a private IP address. I don't understand how this can be a probe, since they'll never see the replies. It also doesn't seem like a DOS attack since it's a somewhat slow scan and it doesn't go on for too long. Sample log: 00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable This activity goes on for about 40 minutes total to a number of other addresses, then a similar sequence repeats about 10 minutes later but only lasts a couple of minutes. About two hours later they repeat this again for a couple more minutes. I've seen the same activity from source addresses like 10.2.2.1. Maybe they're trying to guess our internal network numbers, but what would be the point? Can anyone suggest what might be going on? Thanks, David Meissner Punch Networks
-- Bill Pennington Senior IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)