Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 6112/TCP scans

From: Paul Dokas <dokas () smtp mn mediaone net>
Date: Tue, 11 Dec 2001 21:05:21 -0600
On Tue, Dec 11, 2001 at 10:06:15PM -0000, Neil Long wrote:

6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I
guess.

% grep dtsp /etc/inetd.conf
# dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd

% grep dtsp /etc/services
dtspc           6112/tcp                #subprocess control



Yes, this is exactly why this traffic made me take notice.

However, in a private email, it was pointed out to me that I've almost
perfectly picked out some of the battle.net servers:

  Name:    useast.battle.net
  Addresses:  63.240.202.131, 63.240.202.138, 63.240.202.139, 63.240.202.140


And they most definitely do source lots of traffic on 6112/TCP.  So, I'm
almost certainly wrong about them scanning me.  Something else must be happening.


Looking further, I've found that the destinations of all of this 6112/TCP
traffic appear to be randomly distributed on my networks.  Hosts that are
most definitely *not* running games (SUNs for example) are being hit.
Also, IP address that are not even being used are also getting these packets.


So, I dug into my netflows with flowdumper and I've found *tons* of
6112/TCP traffic in 40byte packets with ACK + RST set.  And, all of this
traffic was coming from the useast.battle.net servers and destined for
IP addresses nearly randomly distributed throughout my network.


Perhaps I'm just seeing backscatter from DOS attacks on the battle.net
servers?  The time period during which I saw this traffic was from sometime
early on 12/8 through the afternoon on 12/10.


Paul
-- 
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: