Re: Large scans in progress...

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Tue, 12 Sep 2000 14:34:08 -0700 UnixGeek <ed () XWING CENTIGRAM COM>
wrote:

> Just an FYI:
>
> Seems large chunks of various netblocks are being scanned from Israel,
> currently, from IP 62.0.56.66(does not appear to be a multi-host,
> coordinated scan).

Hmmm... since you mention this I have detected another, probably
widespread, scan which I believe to be coordinated from the same
address block.  This scan is extremely sneaky and difficult to detect
unless you are actually looking for it.

I first noticed this activity in May and reported it to AusCERT,
Netvision.net.il and Israel Academic CERT as a distributed scan
involving many Israeli ISPs.

What I first saw was a trickle of POP and IMAP probes 10-20 per day
from 62.0.55.65. When I looked closer I realized that there were lots
of probes for POP and IMAP all with the same last octet in the IP
address.  What is more all these probes appeared to be sourced from
various Israeli ISPs.  These other addresses changed regularly (about
every half hour) typically we would see no more than half a dozen
probes from any individual address.  By examining the logs I deduced
that there were two processes running each changing addresses every
half hour.  I was assured by various people that there was no one place
where anyone could see all the responses for these probes and that
since most of the addresses were dial up addresses they could not be
compromised hosts being used in a distributed scan.  So I revised my
conclusion that this was a scan from 62.0.55.65 with a large amount of
decoy traffic.  I did not like this conclusion because it seemed stupid
to have the decoy traffic at such a low level that most sites would
never notice it even it they did notice the traffic from 62.0.55.65
which was only 10-20 probes per day -- well under most detection
thresholds.

The traffic eventually stopped after a couple of weeks by which time
most of our network had been probed.

A few days ago I again picked up low level scanning from 62.0.55.65 and
again looked to see if it was accompanied the 'decoy traffic'.  It was.

I notified netvision and The Israeli Security Information Exchange
Forum.  I got one response from Israel (I'm not sure if the person
concerned would want to be identified so I won't name them) pointing
out that all the ISP involved in the latest incident were members of
Bezeq's 135 anonymous dial in system. Hebrew site:
http://www.bezeqnet.co.il/

I quote the original message:

<quote>
basically, 135 is what a user dials, brings up their browser and
gets connected to a selection menu of dozens of ISPs.  Once the user
selects the ISP of choice, the system establishes a PPP connection and
an IP address is assigned from the NAT pool of the ISP.  The user can
hide behind this anonymous system and only a court order would get
Bezeq started in trying to match up the IP address, time of day to the
physical phone that was used.
</quote>

So here is what I think is happening:

The blackhat has a couple of modems controlled by a single machine they
both dial into the 135 system and start scanning a large block (say
130/8) randomly varying the 2nd and 3rd octet so not too many packets
hit any one network at any time -- nmap will probably do that.  Every
half hour you drop your connection and reconnect to another ISP and
continue.  This way even if you have a /16 net you will only see 4 or 5
packets from any particular address block in a any day. If this is so
then why so they give it away by reusing 62.0.55.65? If they had not
done that then I may well have never noticed the activity at all.  I
suspect the operation is being launched from 62.0.55.65 and they could
not resist the temptation to do some low level probing from there as
well believing that the level would be so low that no one would notice.

The recent traffic stopped shortly after (about an hour or two) I
mailed Netvision. I have not received any response from Netvision.

Cheers, Russell.