Security Incidents mailing list archives
Re: OS Fingerprinting or best route determination?
From: Paul BOYER <paul.boyer () SECURITYKEEPERS COM>
Date: Fri, 23 Mar 2001 00:30:36 -0000
We also experience those "UDP 39852" scan. Is it related to the "TCP 21536" scans due to Nortel CVX eating the TCP header ?
Hello, Anyone have any idea what's going on here? To
me it looks like OS
Fingerprinting, minus the malformed packets. We
have a SYN to an open port,
an ACK to an open port, and a UDP packet to a
closed port. I've seen this
same combination (IP addresses, ports, timing)
before, about 7 times in the
last 3 weeks. 194.133.58.129 resolves to
bestroute1-t.alcatel.fr, which
leads me to believe it's an attempt to pinpoint a
closest webserver or
something like that, but isn't this a little too intrusive
for that? Also,
why the second address (212.208.74.129) ? Some
sort of triangulation?
03/08-06:07:36.621657 [**] IDS28 - PING NMAP
TCP [**] 194.133.58.129:80 ->
x.y.z.3:53 03/08-06:07:36.621916 [**] IDS07 - MISC-Source
Port Traffic 53 TCP [**]
194.133.58.129:53 -> x.y.z.3:53 03/08-06:07:36.724300 [**] IDS07 - MISC-Source
Port Traffic 53 TCP [**]
212.208.74.129:53 -> x.y.z.3:53 03/08-06:07:36 UDP 194.133.58.129:55 ->
x.y.z.3:37852 (Firewall log)
[**] IDS28 - PING NMAP TCP [**] 03/08-06:07:36.621657 194.133.58.129:80 ->
x.y.z.3:53
TCP TTL:48 TOS:0x0 ID:49468 IpLen:20
DgmLen:40
***A**** Seq: 0x251 Ack: 0x0 Win: 0x578 TcpLen:
20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS07 - MISC-Source Port Traffic 53 TCP [**] 03/08-06:07:36.621916 194.133.58.129:53 ->
x.y.z.3:53
TCP TTL:48 TOS:0x0 ID:49469 IpLen:20
DgmLen:40
******S* Seq: 0x25312F43 Ack: 0x0 Win: 0x578
TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] IDS07 - MISC-Source Port Traffic 53 TCP [**] 03/08-06:07:36.724300 212.208.74.129:53 ->
x.y.z.3:53
TCP TTL:46 TOS:0x0 ID:49471 IpLen:20
DgmLen:40
******S* Seq: 0x253190EB Ack: 0x0 Win: 0x578
TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
The players: 194.133.58.129 -- bestroute1-t.alcatel.fr route: 194.133.58.0/24 descr: Alcanet origin: AS2917 mnt-by: OLEANE-NOC changed: hostmaster () oleane net 20000302 source: RIPE 212.208.74.129 -- doesn't resolve inetnum: 212.208.74.0 - 212.208.74.255 netname: ALCANET-NET1 descr: ALCANET INTERNATIONAL country: FR source: RIPE Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C
307D B37D E01A 2E89 9D2C
Current thread:
- OS Fingerprinting or best route determination? Portnoy, Gary (Mar 08)
- <Possible follow-ups>
- Re: OS Fingerprinting or best route determination? Paul BOYER (Mar 23)