Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

odd host scans to random addressess

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 22 Aug 2001 11:11:20 +1200 (NZST)
Over the last 24 hours I have seen 3 scans from these 3 IP addresses.
(I assume two are spoofed -- two don't respond to pings and one is
firewalled). Scans consist of single tcp ACKs sent from each source.

Here is a sample of the traffic:

22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50907  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50907  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50907  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50908  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50908  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50908  ?>    130.216.14.121.221   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50907  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50907  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50907  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50908  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50908  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50908  ?>    130.216.14.121.179   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.253   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.253   1        0         0            0    
       A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.253   1        0         0            0    
       A_

Three different addresses have been scanned in this manner, but the
odd thing is that none of them are actually in use. About 1600 ports
are scanned in just under a minute.

And what do they hope to achieve with ACKs?  Won't the machine respond
with an RST whether or not the port is open?


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: