Over the last 24 hours I have seen 3 scans from these 3 IP addresses. (I assume two are spoofed -- two don't respond to pings and one is firewalled). Scans consist of single tcp ACKs sent from each source. Here is a sample of the traffic: 22 Aug 01 08:02:38 tcp 64.94.188.247.50906 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50906 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50906 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50907 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50907 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50907 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50908 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50908 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50908 ?> 130.216.14.121.221 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50906 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50906 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50906 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50907 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50907 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50907 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50908 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50908 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50908 ?> 130.216.14.121.179 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 64.94.188.247.50906 ?> 130.216.14.121.253 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.132.6.50906 ?> 130.216.14.121.253 1 0 0 0 A_ 22 Aug 01 08:02:38 tcp 209.191.156.89.50906 ?> 130.216.14.121.253 1 0 0 0 A_ Three different addresses have been scanned in this manner, but the odd thing is that none of them are actually in use. About 1600 ports are scanned in just under a minute. And what do they hope to achieve with ACKs? Won't the machine respond with an RST whether or not the port is open? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:20:16 PDT