Security Incidents mailing list archives

RE: Strange "port scans" from a spoofed IP

From: "Jason Robertson" <jason () ifuture com>
Date: Sun, 11 Nov 2001 18:55:33 -0500

Should and Is, are totally different stories.

We receive on our external interfaces about 1000 of these packets/day, 
and I can actually trace these at times.. but for the past 2 years, I 
have just blocked them from entering the network.

I think it's a great deal of misconfigured routers and NAT's.. And 
wishing for ISPs or upstreams to block anything, as one cartoon put it, 
"Don't you belive it", only because they rarely do, even for common 
packet problems, or they would even add filters to prevent DoS's from 
going from their network (oh dream of dreams), this alone by everyone, 
would make life easier for all of us.

Jason

On 9 Nov 2001 at 10:58, Keith.Morgan wrote:

From:                   "Keith.Morgan" <Keith.Morgan () Terradon com>
To:                     "'Jon.Kibler () aset com'" <Jon.Kibler () aset com>
Copies to:              "'incidents () securityfocus com'" 
<incidents () securityfocus com>
Subject:                RE: Strange "port scans" from a spoofed IP
Date sent:              Fri, 9 Nov 2001 10:58:10 -0500 
Mailer:                 Internet Mail Service (5.5.2653.19)

I'm not sure where this may be coming from, or why, but I can say that it
indicates a problem.  I'm not sure of the target machine's situation,
posture, or any details, but, as a general rule, these packets should be
silently dropped.  There should be no response sent by your machine or
network to rfc1918 address space (eg, 192.168.0.0/16).  Perimeter firewalls
and upstream routers should silently drop private address space packets
arriving on external interfaces.

-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler () aset04 aset com]
Sent: Monday, November 05, 2001 6:37 PM
To: incidents () securityfocus com
Subject: Strange "port scans" from a spoofed IP


Earlier today we started noticing a rather strange "port 
scan" from two different spoofed IP addresses. Both claim to 
originate from port 80 and have a fixed destination based 
upon originating IP, as follows:
   192.168.19.82 has destination port 11709
   192.168.19.81 has destination port 13607

The "scans" repeat every 61 seconds. They have been running 
non-stop since sometime late yesterday. Here is an example 
from snoop of the traffic in question:

150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80    
 Ack=924387618 Seq=159745477 Len=1 Win=0
150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 
Rst Seq=924387618 Len=0 Win=0
150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80    
 Ack=915790864 Seq=2217637423 Len=1 Win=0
150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 
Rst Seq=915790864 Len=0 Win=0
150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80    
 Ack=924387618 Seq=159745477 Len=1 Win=0
150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 
Rst Seq=924387618 Len=0 Win=0
150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80    
 Ack=915790864 Seq=2217637423 Len=1 Win=0
150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 
Rst Seq=915790864 Len=0 Win=0
150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80    
 Ack=924387618 Seq=159745477 Len=1 Win=0
150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 
Rst Seq=924387618 Len=0 Win=0
150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80    
 Ack=915790864 Seq=2217637423 Len=1 Win=0
150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 
Rst Seq=915790864 Len=0 Win=0
150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80    
 Ack=924387618 Seq=159745477 Len=1 Win=0
150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 
Rst Seq=924387618 Len=0 Win=0
150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80    
 Ack=915790864 Seq=2217637423 Len=1 Win=0
150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 
Rst Seq=915790864 Len=0 Win=0
150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80    
 Ack=924387618 Seq=159745477 Len=1 Win=0
150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 
Rst Seq=924387618 Len=0 Win=0
150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80    
 Ack=915790864 Seq=2217637423 Len=1 Win=0
150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 
Rst Seq=915790864 Len=0 Win=0


Has anyone else seen something similar? Since this is clearly 
not a DOS attack, any idea what would be the purpose of such a scan?

Thanks for any and all help/comments.

Sincerely,
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



--
Jason Robertson                
Network/Security Analyst     
jason () ifuture com 
http://www.ifuture.com, http://www.astroadvice.com, 
http://www.astroeast.com
Also if you are looking for an employee, I may be available soon, so 
feel free to 
contact me for my resume.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange "port scans" from a spoofed IP Jon R. Kibler (Nov 08)
- <Possible follow-ups>
- RE: Strange "port scans" from a spoofed IP NESTING, DAVID M (SBCSI) (Nov 08)
- RE: Strange "port scans" from a spoofed IP Keith.Morgan (Nov 09)
  - RE: Strange "port scans" from a spoofed IP Jason Robertson (Nov 12)