Strange scan

[Michael Schwartzkopff <misch () mail multinet de>]

Hi,

I get some strange scans for some weeks now. The scans would not stop so I 
decided to investigate it further and did set up some tcpdump. Please see the 
file attached. Can please someone help me to explain the aim of this scan ?
There are some strange things in this scan:

1) The scan originates from a private IP Adress, but it is a TCP SYN scan. So 
the scanner wants an answer, but this should be difficult using a private 
source address in the internet.

2) When he wants to get the answer he should be located somewhere close to 
our net to catch the answer of our system. But the TTL of 241 tells me the he 
is most propably 14 hops (255 - 241) away. That soome to be far for an answer 
to a private IP address.

3) Can somebody explain what OS is running with that characteristics ?

Thanks for any help.


-- 
Dr. Michael Schwartzkopff
Multinet GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 50
Fax: (+49 89) 456 911 21

Attachment: 192.168.50.36.txt
Description: