Security Incidents mailing list archives

Re: Distributed ICMP/UDP scan or attack?

From: J Jewitt <jjewitt2001 () yahoo com>
Date: Mon, 17 Jun 2002 10:30:57 -0700 (PDT)


   Looks to me like a ping followed by a UDP connect.
Ten Extra IP addresses were probably inserted as
decoys.
   I would assert that only one of those eleven IPs
are your scanner.
   I believe that NMAP would look like this, if
configured to ping first and use ten decoys. Blocking
icmp at your firewall is a good way mitigate blind
scans.

     J Jewitt
 



--- Jason Dixon <jasondixon () myrealbox com> wrote:

Hi all:

Please excuse me if this is a newbie question, I'm
not sure how to go
about searching for answers on intrustion/scanner
patterns and the
like.  I noticed this series of scans/connections in
my firewall log
this morning.  The first thing that came to mind was
the Bind 9
vulnerability, but there aren't any exploits
available yet, IIRC.

As you can see, there was a series of three icmp
queries followed by two
unsuccessful DNS connections.  Has anyone seen this?
 

< Jun  15  15:47:31  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:31  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:31  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:31  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:32  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:32  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:42  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:43  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:43  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:52  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:53  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:48:01  dc0  208.185.54.14,1687  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.15.251.198,32865  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  213.61.6.2,17613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  207.235.98.194,54613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.0.96.12,50831  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  209.240.77.130,39805  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  65.119.25.162,3058  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  204.176.88.5,8329  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  64.14.117.10,4502  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  212.62.17.145,54557  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.15.251.198,32865  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  208.185.54.14,1687  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  213.61.6.2,17613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  207.235.98.194,54613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.0.96.12,50831  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  209.240.77.130,39805  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  65.119.25.162,3058  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  204.176.88.5,8329  -> 
x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  64.14.117.10,4502  -> 
x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  212.62.17.145,54557  -> 
x.x.x.x,53  udp

-- 
Jason Dixon
RHCE

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Distributed ICMP/UDP scan or attack? Jason Dixon (Jun 17)
- Re: Distributed ICMP/UDP scan or attack? J Jewitt (Jun 17)
- RE: Distributed ICMP/UDP scan or attack? Edward Beheler (Jun 17)
- <Possible follow-ups>
- RE: Distributed ICMP/UDP scan or attack? Boyan Krosnov (Jun 17)