FW: New scanning ? activity

["Benninghoff, John" <JaBenninghoff () DAINRAUSCHER COM>]

I have been seeing a new "scan" pattern, that may or may not be a proximity
check (?) Most of the scans originate from large ISPs, including both
DSL/Cable and dialup connections. However, I've also seen scans coming from
nameservers & others.

Listed below are the tcpdump logs (x.x.x.x is our nameserver):

All of the patterns I've seen so far send UDP packets to port 37582 as well
as a TCP port, and do a ping...

Here is the first pattern, which sends packets to tcp port 22788 as well:

15:36:06.118865 209.219.169.240.13570 > x.x.x.x.37852: udp 10
15:36:06.119573 209.219.169.240 > x.x.x.x: icmp: echo request
15:36:06.124666 209.219.169.240.80 > x.x.x.x.22788: . ack 0 win 1024
15:36:06.129228 209.219.169.240.13568 > x.x.x.x.22788: S
1832538823:1832538823(0) win 1024
15:36:11.161355 209.219.169.240.13568 > x.x.x.x.22788: R
1832538824:1832538824(0) win 1024
15:36:11.168392 209.219.169.240.13570 > x.x.x.x.37852: udp 10
15:36:11.175462 209.219.169.240 > x.x.x.x: icmp: echo request
15:36:11.175467 209.219.169.240.80 > x.x.x.x.22788: . ack 1 win 1024
15:36:11.176623 209.219.169.240.13568 > x.x.x.x.22788: S
1833788823:1833788823(0) win 1024
15:36:16.118508 209.219.169.240.13568 > x.x.x.x.22788: R
1833788824:1833788824(0) win 1024
15:36:16.137606 209.219.169.240.13568 > x.x.x.x.22788: R
1833788824:1833788824(0) win 1024

Here's the other pattern I've seen, which sends packets to tcp port 53
instead of tcp port 22788:

16:20:17.916894 211.10.18.93.32774 > x.x.x.x.37852: udp 10
16:20:17.918696 211.10.18.93 > x.x.x.x: icmp: echo request
16:20:17.919024 211.10.18.93.80 > x.x.x.x.53: . ack 0 win 1024
16:20:17.922632 211.10.18.93.32772 > x.x.x.x.53: S 3762295791:3762295791(0)
win 1024
16:20:22.918337 211.10.18.93.32772 > x.x.x.x.53: R 3762295792:3762295792(0)
win 1024
16:20:22.918341 211.10.18.93.32774 > x.x.x.x.37852: udp 10
16:20:22.918346 211.10.18.93 > x.x.x.x: icmp: echo request
16:20:22.925873 211.10.18.93.80 > x.x.x.x.53: . ack 1 win 1024
16:20:22.925877 211.10.18.93.32772 > x.x.x.x.53: S 3763545791:3763545791(0)
win 1024
16:20:27.922122 211.10.18.93.32772 > x.x.x.x.53: R 3763545792:3763545792(0)
win 1024
16:20:27.922383 211.10.18.93.32772 > x.x.x.x.53: R 3763545792:3763545792(0)
win 1024

What's interesting about this one is it seems to have been triggered by a
DNS lookup:
note that 216.104.228.102 resolves to:
non-invasive-proximity-checking-device.safeweb.com

08:54:26.963812 x.x.x.x.1113 > 216.104.228.102.53: 39151 (33)
08:54:27.070121 216.104.228.102.53 > x.x.x.x.1113: 39151*- 2/0/0 (65)
08:54:27.070127 216.104.228.102.13570 > x.x.x.x.37852: udp 10
08:54:27.070133 216.104.228.102 > x.x.x.x: icmp: echo request
08:54:27.070175 216.104.228.102.80 > x.x.x.x.22788: . ack 1 win 1024
08:54:27.070182 216.104.228.102.13568 > x.x.x.x.22788: S
459337499:459337499(0) win 1024
08:54:32.073115 216.104.228.102.13568 > x.x.x.x.22788: R
459337500:459337500(0) win 1024
08:54:32.074698 216.104.228.102.13570 > x.x.x.x.37852: udp 10
08:54:32.074702 216.104.228.102 > x.x.x.x: icmp: echo request
08:54:32.074706 216.104.228.102.80 > x.x.x.x.22788: . ack 1 win 1024
08:54:32.075691 216.104.228.102.13568 > x.x.x.x.22788: S
460587499:460587499(0) win 1024
08:54:37.088176 216.104.228.102.13568 > x.x.x.x.22788: R
460587500:460587500(0) win 1024

It's hard to say exactly what this is, but the source of the last example
suggests that it is a proximity checking device designed to pass through
firewalls. Does anyone know what this is ??

------------------------------------------
John A Benninghoff
Network Security Analyst, Dain Rauscher IS
mailto:jabenninghoff () dainrauscher com