Security Incidents mailing list archives
RE: New DNS connection with SYN ACK
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Mon, 14 Jan 2002 12:30:23 -0500
Search the archives for this one. We've been over this a few times. Likely someone is using cisco's content-redirector software. I don't remember the details, but the archives should have several threads regarding this type of activity. Most likely this is not spoofed scans. -----Original Message----- From: Cloppert, Michael [mailto:Michael.Cloppert () 53 com] Sent: Monday, January 14, 2002 10:22 AM To: 'incidents () securityfocus com' Subject: RE: New DNS connection with SYN ACK Could it be that you've been been decoy addresses in a portscan? For instance, hacker (H) wants to attack A. Hacker finds B and C that are legit, so hacker sends a portscan from H, B, and C to A. The effect of this is that the analyst at A doesn't know which is the real portscanner (or in this case scanner for port 53). What B and C see are the responses of the initial SYN sent to A, since A will be responding to both H, B, and C thinking that they're legit TCP initiation requests. HTH. Anyone else have any ideas? Mike Cloppert
-----Original Message----- From: Richard Arends [mailto:richard () unixguru nl] Sent: Friday, January 11, 2002 1:47 PM To: Jerry Perser Cc: incidents () securityfocus com Subject: Re: New DNS connection with SYN ACK On 11 Jan 2002, Jerry Perser wrote:Here are the 19 ip addresses: 128.121.10.146 128.242.105.34 129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150 202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42 216.33.35.214 216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34 64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14I'm getting scans for port 53 from the same ip's ! Greetings, Richard. ---- An OS is like swiss cheese, the bigger it is, the more holes you get! -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: New DNS connection with SYN ACK, (continued)
- RE: New DNS connection with SYN ACK Dan Hawrylkiw (Jan 14)
- RE: New DNS connection with SYN ACK Jason Dixon (Jan 14)
- Re: New DNS connection with SYN ACK John Hall (Jan 15)
- Unusual DNS requests (not related to previous DNS thread) measl (Jan 15)
- Re: Unusual DNS requests (not related to previous DNS thread) Ryan Russell (Jan 15)
- Re: Unusual DNS requests (not related to previous DNS thread) measl (Jan 17)
- Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 18)
- RE: New DNS connection with SYN ACK Jason Dixon (Jan 14)
- Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 15)
- RE: New DNS connection with SYN ACK Dan Hawrylkiw (Jan 14)
- Re: New DNS connection with SYN ACK RainbowHat (Jan 15)