Re: NTP scan ????

[Paul Gear <paulgear () bigfoot com>]

Russell Fulton wrote:

> On Wed, 2002-02-27 at 14:52, Will Aoki wrote:
> > On Wed, Feb 27, 2002 at 10:43:19AM +1300, Russell Fulton wrote:
>
> > (213.237.6.5) at 22:13 GMT-7 on the 20th, but I figured that it must
> > be something other than NTP, since AFAIK NTP only runs over UDP.
>
> Possibly but tcp-123 is reserved for NTP...

Normal practice is to reserve both TCP and UDP for the given port no matter
which protocols you reserve.

> Another thought that
> occurred to me was that it was a typo and they meant to scan for
> 1234 or 12345, both popular trojan ports, This seems unlikely since
> it would appear that this wasn't a single scan.

Still a possibility, though, and perhaps more likely than my suggestion.  It's
perfectly conceivable that some script kiddie set up his tool to scan for hosts
and accidentally deleted the last 1 or 2 digits.

> > Perhaps you're seeing something similar: people looking for poor filtering
> > rules.
>
> hmmm... so if you get any RSTs or port unreachables you would know that
> the original packet went through the firewall.  Then you could start
> probing with more interesting packets.  Certainly plausible.

Plausible, but unlikely to cause damage.  How many firewall implementations are
going to allow use of a port for filtering if the protocol is not specified?

Paul
http://paulgear.webhop.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com