Re: 17203 portscan alerts in 23 hours from same IP

[Jon Quiros <sysadmin () ncemch org>]

Hey Matt,

Your points are well taken, and thanks for a very complete response!
it's all part of an edumacation.

you're right, i don't think it likely that someone is targetting us, but i do like to know what is happening, esp since 
i've never seen a run of the mill scan last this long, and only to 1 host, unless someone is really targetting you... 
this is why we ask people like yourself.

after thinking about it quite awhile i decided that 18,000 or so events from 1 host (namely, a webserver or proxy at a 
farily large financial institution) digging for 30 or so odd hours (and counting).  it seemed a bit odd to me 
especially given the reasons you present.  us?  why?

I agree in having common sense about general security issues (how far do we go given the value what we have has to 
others, etc), but still, oddity instills curiosity in me at times.  even at a lemonade stand :-)

alright i think i'm way off topic now so i'll stop.
activity stopped at about 5pm after starting again at 2pm with lower port numbers, but i'll run a sniffer tonight in 
case it starts again...

...hmmm.... que diablos es el internet?

(we got pink lemonade, but we got iced tea, too! mchdata.net, brightfutures.org, mchoralhealth.org, and ncemch.org)


On Wednesday, July 10, 2002 5:52 PM, Matt Kettler <mkettler () evi-inc com> wrote:
> That is a bit on the strange side, I guess another possibility is that 
> someone (not very bright) is attempting to syn-flood DOS citibank.com and 
> is spoofing your IP as a source. A large site like citibank likely has some 
> form of synflood protection, and they could just be spewing resets out to 
> the ip's generating the syn's (even if they are forged).
>
> I'm also pretty skeptical of any ill intent of the packets arriving at your 
> network since they have the reset and fin bits set. You can't do any kind 
> of useful portscan that way (one or two of them might be useful in an OS 
> fingerprint, but not floods of them), it's not a good way to do an exploit, 
> and they don't look right for any kind of ISN guessing DoS attack either 
> since all the ack fields are invalid.
>
> At one point in time I had some IPs that were part of a class A network 
> that "hax0rs" would spoof when flooding people and I'd get floods of ICMP 
> source quench messages. I didn't log floods of resets at the time, but it 
> wouldn't surprise me if they came in.
>
> In any event you'd have to be pretty important to believe that anyone who 
> has control of citibank's main webserver would use it to attack your 
> network. Unless the data contained on your network has a potential value 
> measured in the billions of dollars they've already got a much more 
> interesting target in the palm of their hands. Hacking into citibank's 
> webserver and using it to attack the network of the National Center for 
> Education in Maternal and Child Health strikes me as a bit like stealing an 
> destroyer from the Navy and using it to knock over a lemonade
> stand.
>
> I might consider running a tcpdump from your snort box and see if you're 
> originating any traffic or if it's just a pile of resets coming
> in:
>
> tcpdump -i <appropriate interface name> host 192.193.195.132
>
> If it's just a pile of resets coming in, I'd blow it off as side effects of 
> some other bozo attacking citibank and forging your IPs as the source. And 
> no, you're not going to be able to track who the other bozo is, citibank 
> might be able to with a lot of effort and help from other ISPs but nobody 
> is going to care enough to go to that kind of effort since it's not heavy 
> enough to cause problems.
>
> Welcome to the internet, where 500 attacks/probes per day per IP is not an 
> unrealistic figure.
>
>
> At 05:06 PM 7/10/2002 -0400, Jon Quiros wrote:
> > Thanks for the reply.  It started up again at 2:30 and continues, now 
> > scanning lower ports (i've got about 19,000 events now).
> > The user of this computer has been away from her desk since about 11am 
> > this morning so I'm really doubting it's her end that's triggering it.  No 
> > adware, no open web browser.
> >
> > here's another snippet of the portscan log:
> > ==
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:08:50 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1532 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1533 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1538 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1539 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1544 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1540 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1545 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1485 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1484 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1489 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1493 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1498 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1502 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1504 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1507 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1514 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1517 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1523 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1524 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1527 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1526 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1531 INVALIDACK 
> > ***A*R*F
> > Jul 10 16:10:46 192.193.195.132:80 -> one.of.my.users:1530 INVALIDACK 
> > ***A*R*F
> > ===
> >
> > Jon Quirós
> > Network/Systems Administrator
> > National Center for Education in Maternal and Child Health
> > Georgetown University
> > 2000 15th St N, Suite 701
> > Arlington, Va 22201
> > Ph:  (703)524-7802
> > Fax: (703)524-9335
> >
> >
> > On Wednesday, July 10, 2002 4:37 PM, Matt Kettler <mkettler () evi-inc com> 
> > wrote:
> > > Perhaps the citibank webpage has a gif-image which reloads at regular
> > > intervals? In that case all she'd need to do is leave the browser open, and
> > > those kinds of reloading images are pretty common.
> > >
> > > It strikes me as highly absurd to consider reset/fin packets coming from
> > > port 80 on a valid webserver to be a portscan of any sort. Sure webservers
> > > get knocked over and used to attack others sometimes, but very rarely do
> > > those scans originate from port 80 (since they'd have to shut the webserver
> > > down) and rarely do they consist of ARF ("close connection and stop talking
> > > to me, don't even acknowledge the close") type packets at regular intervals
> > > to normal client ports. ARF isn't exactly a very useful combination of
> > > flags for portscanning AFAIK.
> > >
> > >
> > > I think the appropriate question to ask here is "why was my user's machine
> > > trying to contact citibank's website so frequently" rather than "why was
> > > citibank scanning me", and I think the answer is that someone had a couple
> > > of pages with self-refreshing images open and left the browser
> > > running.
> > >
> > >
> > > At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
> > > > someone that replied off-list wrote this:
> > > >
> > > > "Looks to me like your source and dest IPs are showing up backwards. It is
> > > > not a scan, but merely the random source port 1024 incrementing with each
> > > > connection. Your end user must be doing a lot of on-line banking with
> > > > Citibank I would say."
> > > >
> > > > This would make perfect sense to me, except i can't envision her staying
> > > > over night doing online banking stuff, or any program running in the
> > > > bkgrnd following the same pattern over and over again
> > > >
> > > > Jon Q
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Two, two, TWO treats in one.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Two, two, TWO treats in one.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users