Snort mailing list archives
Re: 17203 portscan alerts in 23 hours from same IP
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 10 Jul 2002 17:52:33 -0400
That is a bit on the strange side, I guess another possibility is that someone (not very bright) is attempting to syn-flood DOS citibank.com and is spoofing your IP as a source. A large site like citibank likely has some form of synflood protection, and they could just be spewing resets out to the ip's generating the syn's (even if they are forged).
I'm also pretty skeptical of any ill intent of the packets arriving at your network since they have the reset and fin bits set. You can't do any kind of useful portscan that way (one or two of them might be useful in an OS fingerprint, but not floods of them), it's not a good way to do an exploit, and they don't look right for any kind of ISN guessing DoS attack either since all the ack fields are invalid.
At one point in time I had some IPs that were part of a class A network that "hax0rs" would spoof when flooding people and I'd get floods of ICMP source quench messages. I didn't log floods of resets at the time, but it wouldn't surprise me if they came in.
In any event you'd have to be pretty important to believe that anyone who has control of citibank's main webserver would use it to attack your network. Unless the data contained on your network has a potential value measured in the billions of dollars they've already got a much more interesting target in the palm of their hands. Hacking into citibank's webserver and using it to attack the network of the National Center for Education in Maternal and Child Health strikes me as a bit like stealing an destroyer from the Navy and using it to knock over a lemonade stand.
I might consider running a tcpdump from your snort box and see if you're originating any traffic or if it's just a pile of resets coming in:
tcpdump -i <appropriate interface name> host 192.193.195.132If it's just a pile of resets coming in, I'd blow it off as side effects of some other bozo attacking citibank and forging your IPs as the source. And no, you're not going to be able to track who the other bozo is, citibank might be able to with a lot of effort and help from other ISPs but nobody is going to care enough to go to that kind of effort since it's not heavy enough to cause problems.
Welcome to the internet, where 500 attacks/probes per day per IP is not an unrealistic figure.
At 05:06 PM 7/10/2002 -0400, Jon Quiros wrote:
Thanks for the reply. It started up again at 2:30 and continues, now scanning lower ports (i've got about 19,000 events now). The user of this computer has been away from her desk since about 11am this morning so I'm really doubting it's her end that's triggering it. No adware, no open web browser.here's another snippet of the portscan log: ==Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1532 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1533 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1538 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1539 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1540 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK ***A*R*F Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK ***A*R*F=== Jon QuirĂ³s Network/Systems Administrator National Center for Education in Maternal and Child Health Georgetown University 2000 15th St N, Suite 701 Arlington, Va 22201 Ph: (703)524-7802 Fax: (703)524-9335On Wednesday, July 10, 2002 4:37 PM, Matt Kettler <mkettler () evi-inc com> wrote:>Perhaps the citibank webpage has a gif-image which reloads at regular >intervals? In that case all she'd need to do is leave the browser open, and >those kinds of reloading images are pretty common. > >It strikes me as highly absurd to consider reset/fin packets coming from >port 80 on a valid webserver to be a portscan of any sort. Sure webservers >get knocked over and used to attack others sometimes, but very rarely do >those scans originate from port 80 (since they'd have to shut the webserver >down) and rarely do they consist of ARF ("close connection and stop talking >to me, don't even acknowledge the close") type packets at regular intervals >to normal client ports. ARF isn't exactly a very useful combination of >flags for portscanning AFAIK. > > >I think the appropriate question to ask here is "why was my user's machine >trying to contact citibank's website so frequently" rather than "why was >citibank scanning me", and I think the answer is that someone had a couple >of pages with self-refreshing images open and left the browser >running. > > >At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote: >>someone that replied off-list wrote this: >> >>"Looks to me like your source and dest IPs are showing up backwards. It is >>not a scan, but merely the random source port 1024 incrementing with each >>connection. Your end user must be doing a lot of on-line banking with >>Citibank I would say." >> >>This would make perfect sense to me, except i can't envision her staying >>over night doing online banking stuff, or any program running in the >>bkgrnd following the same pattern over and over again >> >>Jon Q > > > >------------------------------------------------------- >This sf.net email is sponsored by:ThinkGeek >Two, two, TWO treats in one. >http://thinkgeek.com/sf >_______________________________________________ >Snort-users mailing list >Snort-users () lists sourceforge net >Go to this URL to change user options or unsubscribe: >https://lists.sourceforge.net/lists/listinfo/snort-users >Snort-users list archive: >http://www.geocrawler.com/redir-sf.php3?list=snort-users >
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Two, two, TWO treats in one. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jeff Taylor (Jul 10)
- <Possible follow-ups>
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Matt Kettler (Jul 10)
- Re: 17203 portscan alerts in 23 hours from same IP Jon Quiros (Jul 10)
- RE: 17203 portscan alerts in 23 hours from same IP Ashley Thomas (Jul 10)