Over the last week I have detected an increasing number of machines probing random addressess in our address space on udp port 53. Here are some counts from this months logs: 12th 1 15th 8 20th 19 25th 42 29th 85 A most of these machines are sending upd named version probes. Here is a sample from the snort logs for one machine today: Apr 30 09:00:00 takahe snort[12098]: IDS278 - SCAN -named Version probe: 212.71.160.163:61807 -> 130.216.144.143:53 Apr 30 09:20:10 takahe snort[12098]: IDS278 - SCAN -named Version probe: 212.71.160.163:61213 -> 130.216.151.175:53 Apr 30 09:43:34 takahe snort[12098]: IDS278 - SCAN -named Version probe: 212.71.160.163:61017 -> 130.216.147.2:53 Apr 30 10:03:17 takahe snort[12098]: IDS278 - SCAN -named Version probe: 212.71.160.163:64813 -> 130.216.104.217:53 Apr 30 10:48:45 takahe snort[12098]: IDS278 - SCAN -named Version probe: 212.71.160.163:62319 -> 130.216.171.88:53 These rates are similiar to what we see for windows trojans probing for open shares. I have tried telnetting to a about a dozen of these addresses and most give 'connection refused' -- odd, if they are UNIX systems. The one or two that did repsond were running Linux. I am now seeing these slow random probes for (proto_port-number of sources) udp_137-153, udp_53-85, tcp_111-6, tcp_515-6 and (tcp_139, 12345 and 27374 - 8). Counts from yesterday's logs. This method of scanning is becoming increasingly popular because the perceived scan rate is well below most peoples detection thresholds. In our /16 address space we typically see about 10-30 packets per day from these machines (less if the machine is turned off regularly). Most of the udp scans only probe within their own /8 address space if the distribution of source addresses are anything to go by. I.e most of the udp-137 source addresses are in the same /8 as us. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 09:27:19 PDT