CR II has fixed the IP scanning problem, that CR I had, it goes something like this. 50% chance it will scan an IP in the same Class A network as itself 37.5% chance it will scan an IP in the same Class B network as itself 12.5% chance it will scan a random IP in the last few days I've been racking up IDA attempts on my server. I've currently had 443 attempts from 106 different hosts. Some hosts having hit my machine as many as 24 times in only a few days. Bored as I was, I thought I'd see how long it took my machine to scan its own Class B network, I only did a ping scan using Nmap # nmap -sP -n xx.xx.0.0/16 > my_class_b.log and do you know how long that took ? Only 40 minutes. I'm not sure the Rate that nmap scans at but I know CRv2 has a 10 second timeout on its connects. So it can't really be that long before it comes around to your IP again. -----Original Message----- From: Chris Freeze [mailto:cfreezeat_private] Sent: 05 August 2001 22:58 To: John Davidson Cc: incidentsat_private Subject: Re: CRv2 multiple scans from same source IP On Sun, 5 Aug 2001, John Davidson wrote: > My W2k IIS logs show 3 CRv2 scans from the same source IP within the same > minute. Here everytime I get scanned, my Apache logs are showing a double hit. Snort is also logging the two back-to-back attempts. Another weird bit is that some hosts are hitting me again as quickly as 45 minutes. I wonder if some people are running injectors(c). I've also noticed that I'm getting hit by different hosts about every 2 mintutes. I wonder if we have hit a saturation point. Anyone thought about the total time for this to have statistically scanned the entire IP address space? Someone out there has to be a statistician.. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 11:07:47 PDT