odd host scans to random addressess

• Previous message: Bruno Treguier: "Re: Flash Worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Over the last 24 hours I have seen 3 scans from these 3 IP addresses.
(I assume two are spoofed -- two don't respond to pings and one is
firewalled). Scans consist of single tcp ACKs sent from each source.

Here is a sample of the traffic:

22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50907  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50907  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50907  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50908  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50908  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50908  ?>    130.216.14.121.221   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50907  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50907  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50907  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50908  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50908  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50908  ?>    130.216.14.121.179   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   64.94.188.247.50906  ?>    130.216.14.121.253   1        0         0            0           A_
22 Aug 01 08:02:38           tcp   209.191.132.6.50906  ?>    130.216.14.121.253   1        0         0            0           A_
22 Aug 01 08:02:38           tcp  209.191.156.89.50906  ?>    130.216.14.121.253   1        0         0            0           A_

Three different addresses have been scanned in this manner, but the
odd thing is that none of them are actually in use. About 1600 ports
are scanned in just under a minute.

And what do they hope to achieve with ACKs?  Won't the machine respond
with an RST whether or not the port is open?


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Kevin Reardon: "Re: Flash Worms"
• Previous message: Bruno Treguier: "Re: Flash Worms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:20:16 PDT