Security Incidents mailing list archives
Re: NTP scan ????
From: Paul Gear <paulgear () bigfoot com>
Date: Thu, 28 Feb 2002 20:40:05 +1000
Russell Fulton wrote:
On Wed, 2002-02-27 at 14:52, Will Aoki wrote:On Wed, Feb 27, 2002 at 10:43:19AM +1300, Russell Fulton wrote:(213.237.6.5) at 22:13 GMT-7 on the 20th, but I figured that it must be something other than NTP, since AFAIK NTP only runs over UDP.Possibly but tcp-123 is reserved for NTP...
Normal practice is to reserve both TCP and UDP for the given port no matter which protocols you reserve.
Another thought that occurred to me was that it was a typo and they meant to scan for 1234 or 12345, both popular trojan ports, This seems unlikely since it would appear that this wasn't a single scan.
Still a possibility, though, and perhaps more likely than my suggestion. It's perfectly conceivable that some script kiddie set up his tool to scan for hosts and accidentally deleted the last 1 or 2 digits.
Perhaps you're seeing something similar: people looking for poor filtering rules.hmmm... so if you get any RSTs or port unreachables you would know that the original packet went through the firewall. Then you could start probing with more interesting packets. Certainly plausible.
Plausible, but unlikely to cause damage. How many firewall implementations are going to allow use of a port for filtering if the protocol is not specified? Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NTP scan ???? Russell Fulton (Feb 26)
- Re: NTP scan ???? Paul Gear (Feb 27)
- Re: NTP scan ???? Will Aoki (Feb 27)
- Re: NTP scan ???? Russell Fulton (Feb 27)
- Re: NTP scan ???? Paul Gear (Feb 28)
- Re: NTP scan ???? Russell Fulton (Feb 27)
- Re: NTP scan ???? John Kristoff (Feb 28)