Security Incidents mailing list archives

Automated, Distributed Port Scan

From: ellidz () ERIDU UCHICAGO EDU (E. Larry Lidz)
Date: Mon, 8 May 2000 14:30:21 -0500


We seem to have been the victims of what appears to be an automated
distributed port scan. Over the weekend we were scanned for Netbus by
30 (or so) different machines. We have comfirmed that there was two-way
tcp traffic to at least one host on our network, so we do not believe
that the source was spoofed.

Each scan scanned a different set of machines on our network. From a
quick look, there appears to have been little to no overlap (that is,
machinea was not scanned from any two different sources).

Looking at the times and the source of the scans, most of the scans
lasted almost exactly 20 minutes -- this makes me think that it is
likely automated. Sometimes there were pauses between the scans,
sometimes there wasn't.

The scans came from a variety of sites, but generally standard targets
-- ISPs, Brazil, Korea, Austria, etc.

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Network Security Officer                             Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: finger ellidz () uchicago edu or network-security () uchicago edu

Current thread:

Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
  - Re: Automated, Distributed Port Scan Jose Nazario (May 10)
  - IP Black list? Stuart Staniford (May 11)
    - Re: IP Black list? Travis Pugh (May 15)
    - Re: IP Black list? Jose Nazario (May 15)
    - Re: IP Black list? Paul L Schmehl (May 15)
    - Re: IP Black list? Travis Pugh (May 16)
    - Re: IP Black list? Sebastien Berube (May 15)
    - Odd scans of tcp port 12345 Russell Fulton (May 15)
    - Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)

(Thread continues...)