Re: Spoofed scans

[Gideon Lenkey <glenkey () infotech-nj com>]

Richard,

I have noticed an increase in port 53 scanning activity and TCP port 22
as well. In the absence of all other evidence, I suspect that there is
either a new bind exploit in the wild (or a rumor of one) or port 80
vulnerabilities are reaching a lull and the hackers are simply playing
the odds. Bind arguably being the next most common service to exploit.
I'm keeping a very close eye on my HIDS at this point!

As for the spoofed scans, you really can't determine who the scanner
truly is. The scan might not even be directly coming from any of the IPs
you detected. If he's using a spoofing technique like monitoring the TCP
relies of a quiet machine for an increase in relative sequence
numbers (ala hping), he's pretty much untraceable.

--Gideon

On Sun, 6 Jan 2002, Richard Arends wrote:

/* Hello,
/*
/* Last couple of weeks i'm getting more and more spoofed scans on my
/* firewall. All scans are icmp or port 53 (domain). Mostly 'they' first send
/* a few icmp packets and then a scan for port 53 trying to do a reverse
/* lookup for my ip.
/*
/* Are there more seeing this type off scans and is there a way to substract
/* the real scanner (ip) from the list ip's ???
/*
/* Greetings,
/*
/* Richard.
/*
/* ----
/* An OS is like swiss cheese, the bigger it is, the more holes you get!
/*
/*
/* ----------------------------------------------------------------------------
/* This list is provided by the SecurityFocus ARIS analyzer service.
/* For more information on this free incident handling, management
/* and tracking system please see: http://aris.securityfocus.com
/*


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com