Are you sure these are not responses to *outbound* HTTP requests to a malfunctioning load-balancing system? It looks to me like you have two source ports originating connections to some web server farm, and that web server farm is trying to respond from one of its internal IP addresses instead of the external IP address you're connecting to. It's certainly possible this is some kind of obscure attack, but I have seen this behavior before (and multiple times on this mailing list), so I'd look to that as a possible explanation. Maybe you have a web page open that's trying to refresh two banner advertisements once a minute. ? David -----Original Message----- From: Jon R. Kibler [mailto:Jon.Kiblerat_private] Sent: Monday, November 05, 2001 5:37 PM To: incidentsat_private Subject: Strange "port scans" from a spoofed IP Earlier today we started noticing a rather strange "port scan" from two different spoofed IP addresses. Both claim to originate from port 80 and have a fixed destination based upon originating IP, as follows: 192.168.19.82 has destination port 11709 192.168.19.81 has destination port 13607 The "scans" repeat every 61 seconds. They have been running non-stop since sometime late yesterday. Here is an example from snoop of the traffic in question: 150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0 150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0 150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0 150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0 150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0 150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0 150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0 150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0 150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0 150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0 150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0 150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0 150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0 150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0 150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0 150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0 150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80 Ack=924387618 Seq=159745477 Len=1 Win=0 150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0 150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80 Ack=915790864 Seq=2217637423 Len=1 Win=0 150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0 Has anyone else seen something similar? Since this is clearly not a DOS attack, any idea what would be the purpose of such a scan? Thanks for any and all help/comments. Sincerely, Jon R. Kibler Systems Architect Advanced Systems Engineering Technology, Inc. Charleston, SC ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 11:47:22 PST