On Sat, 6 Oct 2001, Pavel Kankovsky wrote: > The traits of all those sweeps were very similar: > > - the source port of all probes was 22 > - all probes within one sweep had the same IP ID (*) > - lost/filtered probes were not retried > - the sweeps were pretty fast, hundreds of addresses in few seconds > - no actual i/o was done > > (*) With 1 exception that had a TTL different from other logged probes > in the sweep as well. This appears to be the work of the synscan tool. Did the common IP IDs happen to have a value of 39426? -spaceork "All the time they were creating What has destroyed them, And they fall with the burden They built." -------------------------------- spaceorkat_private http://www.dhp.com/~spaceork ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:46:54 PDT