Security Incidents mailing list archives
Re: 6112/TCP scans
From: Paul Dokas <dokas () smtp mn mediaone net>
Date: Tue, 11 Dec 2001 21:05:21 -0600
On Tue, Dec 11, 2001 at 10:06:15PM -0000, Neil Long wrote:
6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I guess. % grep dtsp /etc/inetd.conf # dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd % grep dtsp /etc/services dtspc 6112/tcp #subprocess control
Yes, this is exactly why this traffic made me take notice. However, in a private email, it was pointed out to me that I've almost perfectly picked out some of the battle.net servers: Name: useast.battle.net Addresses: 63.240.202.131, 63.240.202.138, 63.240.202.139, 63.240.202.140 And they most definitely do source lots of traffic on 6112/TCP. So, I'm almost certainly wrong about them scanning me. Something else must be happening. Looking further, I've found that the destinations of all of this 6112/TCP traffic appear to be randomly distributed on my networks. Hosts that are most definitely *not* running games (SUNs for example) are being hit. Also, IP address that are not even being used are also getting these packets. So, I dug into my netflows with flowdumper and I've found *tons* of 6112/TCP traffic in 40byte packets with ACK + RST set. And, all of this traffic was coming from the useast.battle.net servers and destined for IP addresses nearly randomly distributed throughout my network. Perhaps I'm just seeing backscatter from DOS attacks on the battle.net servers? The time period during which I saw this traffic was from sometime early on 12/8 through the afternoon on 12/10. Paul -- Paul Dokas dokas () cs umn edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- 6112/TCP scans Paul Dokas (Dec 07)
- Re: 6112/TCP scans dewt (Dec 07)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans Neil Long (Dec 11)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans dewt (Dec 07)