RE: CRv2 multiple scans from same source IP

From: Gareth Hastings (ghastingsat_private)
Date: Mon Aug 06 2001 - 02:29:00 PDT

Next message: Curt Purdy: "RE: CR vs. CoreBuilder"

Previous message: Bryan Andersen: "Re: CR vs. CoreBuilder"
In reply to: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
Next in thread: Paul Gear: "Re: CRv2 multiple scans from same source IP"
Next in thread: Valdis.Kletnieksat_private: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CR II has fixed the IP scanning problem, that CR I had, it goes something
like this.

50% chance it will scan an IP in the same Class A network as itself
37.5% chance it will scan an IP in the same Class B network as itself
12.5% chance it will scan a random IP

in the last few days I've been racking up IDA attempts on my server. I've
currently had 443 attempts from 106 different hosts. Some hosts having hit
my machine as many as 24 times in only a few days.

Bored as I was, I thought I'd see how long it took my machine to scan its
own Class B network, I only did a ping scan using Nmap

# nmap -sP -n xx.xx.0.0/16 > my_class_b.log

and do you know how long that took ? Only 40 minutes. I'm not sure the Rate
that nmap scans at but I know CRv2 has a 10 second timeout on its connects.
So it can't really be that long before it comes around to your IP again.

-----Original Message-----
From: Chris Freeze [mailto:cfreezeat_private]
Sent: 05 August 2001 22:58
To: John Davidson
Cc: incidentsat_private
Subject: Re: CRv2 multiple scans from same source IP

On Sun, 5 Aug 2001, John Davidson wrote:

> My W2k IIS logs show 3 CRv2 scans from the same source IP within the same
> minute.

Here everytime I get scanned, my Apache logs are showing a double hit.
Snort is also logging the two back-to-back attempts.  Another weird bit is
that some hosts are hitting me again as quickly as 45 minutes. I wonder if
some people are running injectors(c).  I've also noticed that I'm getting
hit by different hosts about every 2 mintutes.  I wonder if we have hit a
saturation point. Anyone thought about the total time for this to have
statistically scanned the entire IP address space?  Someone out there has
to be a statistician..

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Curt Purdy: "RE: CR vs. CoreBuilder"
Previous message: Bryan Andersen: "Re: CR vs. CoreBuilder"
In reply to: Chris Freeze: "Re: CRv2 multiple scans from same source IP"
Next in thread: Paul Gear: "Re: CRv2 multiple scans from same source IP"
Next in thread: Valdis.Kletnieksat_private: "Re: CRv2 multiple scans from same source IP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:07:47 PDT