Security Incidents mailing list archives
FW: New scanning ? activity
From: "Benninghoff, John" <JaBenninghoff () DAINRAUSCHER COM>
Date: Mon, 20 Nov 2000 16:46:19 -0600
I have been seeing a new "scan" pattern, that may or may not be a proximity check (?) Most of the scans originate from large ISPs, including both DSL/Cable and dialup connections. However, I've also seen scans coming from nameservers & others. Listed below are the tcpdump logs (x.x.x.x is our nameserver): All of the patterns I've seen so far send UDP packets to port 37582 as well as a TCP port, and do a ping... Here is the first pattern, which sends packets to tcp port 22788 as well: 15:36:06.118865 209.219.169.240.13570 > x.x.x.x.37852: udp 10 15:36:06.119573 209.219.169.240 > x.x.x.x: icmp: echo request 15:36:06.124666 209.219.169.240.80 > x.x.x.x.22788: . ack 0 win 1024 15:36:06.129228 209.219.169.240.13568 > x.x.x.x.22788: S 1832538823:1832538823(0) win 1024 15:36:11.161355 209.219.169.240.13568 > x.x.x.x.22788: R 1832538824:1832538824(0) win 1024 15:36:11.168392 209.219.169.240.13570 > x.x.x.x.37852: udp 10 15:36:11.175462 209.219.169.240 > x.x.x.x: icmp: echo request 15:36:11.175467 209.219.169.240.80 > x.x.x.x.22788: . ack 1 win 1024 15:36:11.176623 209.219.169.240.13568 > x.x.x.x.22788: S 1833788823:1833788823(0) win 1024 15:36:16.118508 209.219.169.240.13568 > x.x.x.x.22788: R 1833788824:1833788824(0) win 1024 15:36:16.137606 209.219.169.240.13568 > x.x.x.x.22788: R 1833788824:1833788824(0) win 1024 Here's the other pattern I've seen, which sends packets to tcp port 53 instead of tcp port 22788: 16:20:17.916894 211.10.18.93.32774 > x.x.x.x.37852: udp 10 16:20:17.918696 211.10.18.93 > x.x.x.x: icmp: echo request 16:20:17.919024 211.10.18.93.80 > x.x.x.x.53: . ack 0 win 1024 16:20:17.922632 211.10.18.93.32772 > x.x.x.x.53: S 3762295791:3762295791(0) win 1024 16:20:22.918337 211.10.18.93.32772 > x.x.x.x.53: R 3762295792:3762295792(0) win 1024 16:20:22.918341 211.10.18.93.32774 > x.x.x.x.37852: udp 10 16:20:22.918346 211.10.18.93 > x.x.x.x: icmp: echo request 16:20:22.925873 211.10.18.93.80 > x.x.x.x.53: . ack 1 win 1024 16:20:22.925877 211.10.18.93.32772 > x.x.x.x.53: S 3763545791:3763545791(0) win 1024 16:20:27.922122 211.10.18.93.32772 > x.x.x.x.53: R 3763545792:3763545792(0) win 1024 16:20:27.922383 211.10.18.93.32772 > x.x.x.x.53: R 3763545792:3763545792(0) win 1024 What's interesting about this one is it seems to have been triggered by a DNS lookup: note that 216.104.228.102 resolves to: non-invasive-proximity-checking-device.safeweb.com 08:54:26.963812 x.x.x.x.1113 > 216.104.228.102.53: 39151 (33) 08:54:27.070121 216.104.228.102.53 > x.x.x.x.1113: 39151*- 2/0/0 (65) 08:54:27.070127 216.104.228.102.13570 > x.x.x.x.37852: udp 10 08:54:27.070133 216.104.228.102 > x.x.x.x: icmp: echo request 08:54:27.070175 216.104.228.102.80 > x.x.x.x.22788: . ack 1 win 1024 08:54:27.070182 216.104.228.102.13568 > x.x.x.x.22788: S 459337499:459337499(0) win 1024 08:54:32.073115 216.104.228.102.13568 > x.x.x.x.22788: R 459337500:459337500(0) win 1024 08:54:32.074698 216.104.228.102.13570 > x.x.x.x.37852: udp 10 08:54:32.074702 216.104.228.102 > x.x.x.x: icmp: echo request 08:54:32.074706 216.104.228.102.80 > x.x.x.x.22788: . ack 1 win 1024 08:54:32.075691 216.104.228.102.13568 > x.x.x.x.22788: S 460587499:460587499(0) win 1024 08:54:37.088176 216.104.228.102.13568 > x.x.x.x.22788: R 460587500:460587500(0) win 1024 It's hard to say exactly what this is, but the source of the last example suggests that it is a proximity checking device designed to pass through firewalls. Does anyone know what this is ?? ------------------------------------------ John A Benninghoff Network Security Analyst, Dain Rauscher IS mailto:jabenninghoff () dainrauscher com
Current thread:
- FW: New scanning ? activity Benninghoff, John (Nov 22)