Re: Scans From 192.168.0.134

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Thu, 1 Feb 2001 10:29:57 -0500 "Douglas P. Brown" <Doug () UNC EDU>
wrote:

> We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a
> non-routable address (192.168.0.134) to thousands of ours hosts
> yesterday.  Our IDS setup is only seeing traffic that traverses our main
> router.  Has anyone seen this before?  Am I missing something?  Any
> advice or direction you can offer would be greatly appreciated.

hmmm... I've not seen SF scans from these addresses however I do see a
whole lot of netbios scans (from trojans) with addresses in reserved
ranges:

[10.0.0.1] -- hosts 35, times 33, frags 0 udp-137
[10.0.0.2] -- hosts 44, times 40, frags 0 udp-137
[10.0.0.3] -- hosts 14, times 14, frags 0 udp-137
[10.0.0.10] -- hosts 20, times 20, frags 0 udp-137
[192.168.0.1] -- hosts 420, times 151, frags 0 udp-53,udp-137
[192.168.0.2] -- hosts 81, times 64, frags 0 udp-137
[192.168.0.3] -- hosts 38, times 39, frags 0 udp-53,udp-137
[192.168.0.4] -- hosts 46, times 19, frags 0 udp-137
[192.168.1.1] -- hosts 38, times 37, frags 0 udp-137

I've always assumed that these came from networks with misconfigured
border filters or NAT (maybe ones that don't filter or translate UDP).

In your case, since these are SYN+FIN packets, maybe they went straight
through *their* firewall and did not get traslated because of the illegal
flag combination.  This is why crackers use SF packets.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand