Richard Smith wrote: > Can you post a sanitized dump of the scan? Yes, please. We'd be very interested. > Are the source ports incrementing by one and scanning port 53? > This is a common trait of BigIP it gathers RTT and > other stats so that it can properly route you to the > least loaded server via local load-balancing. The BIG-IP, when used in conjunction with an F5 3-DNS global load balancer, will collect RTT (round trip time) information and some other metrics which are returned to the 3-DNS so it can do *global* load balancing. Once the hostname has been resolved to a virtual server at an appropriate data-center and a connection is opened, then the BIG-IP *locally* load balances the connection. Current (up to a year old) software should be using RTT measurements that are much less detectable (or at least ring fewer alarms). One indicator that the scan is an RTT measurement is that the packets will come in groups of three with the ID field of the packet set to 1, then 2, then 3. > The only concern I might have is the fact that IRC is > reported as listening on port 6667. I'd be VERY concerned. No BIG-IP should have that port open by default. It is possible someone has configured their BIG-IP to pass traffic on that port in to another host, or has created a virtual server on that port for some purpose. Generally, a BIG-IP or 3-DNS that was doing RTT measurements would also show that something was listening on port 4353, so I'd conclude these are not BIG-IP's (and without port 53, definitely not 3-DNS's). It is possible the port 6667 indication is coming from something on Seth's network (such as a firewall blocking port 6667) rather than from the remote host? > It could be a compromised host. BigIP uses a modified version of > FreeBSD. BIG-IP uses a custom version of BSDI. > R/ > > Richard Smith ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 11:18:25 PDT