I'm not sure where this may be coming from, or why, but I can say that it indicates a problem. I'm not sure of the target machine's situation, posture, or any details, but, as a general rule, these packets should be silently dropped. There should be no response sent by your machine or network to rfc1918 address space (eg, 192.168.0.0/16). Perimeter firewalls and upstream routers should silently drop private address space packets arriving on external interfaces. > -----Original Message----- > From: Jon R. Kibler [mailto:Jon.Kiblerat_private] > Sent: Monday, November 05, 2001 6:37 PM > To: incidentsat_private > Subject: Strange "port scans" from a spoofed IP > > > Earlier today we started noticing a rather strange "port > scan" from two different spoofed IP addresses. Both claim to > originate from port 80 and have a fixed destination based > upon originating IP, as follows: > 192.168.19.82 has destination port 11709 > 192.168.19.81 has destination port 13607 > > The "scans" repeat every 61 seconds. They have been running > non-stop since sometime late yesterday. Here is an example > from snoop of the traffic in question: > > 150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80 > Ack=924387618 Seq=159745477 Len=1 Win=0 > 150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 > Rst Seq=924387618 Len=0 Win=0 > 150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80 > Ack=915790864 Seq=2217637423 Len=1 Win=0 > 150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 > Rst Seq=915790864 Len=0 Win=0 > 150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80 > Ack=924387618 Seq=159745477 Len=1 Win=0 > 150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 > Rst Seq=924387618 Len=0 Win=0 > 150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80 > Ack=915790864 Seq=2217637423 Len=1 Win=0 > 150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 > Rst Seq=915790864 Len=0 Win=0 > 150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80 > Ack=924387618 Seq=159745477 Len=1 Win=0 > 150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 > Rst Seq=924387618 Len=0 Win=0 > 150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80 > Ack=915790864 Seq=2217637423 Len=1 Win=0 > 150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 > Rst Seq=915790864 Len=0 Win=0 > 150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80 > Ack=924387618 Seq=159745477 Len=1 Win=0 > 150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 > Rst Seq=924387618 Len=0 Win=0 > 150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80 > Ack=915790864 Seq=2217637423 Len=1 Win=0 > 150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 > Rst Seq=915790864 Len=0 Win=0 > 150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80 > Ack=924387618 Seq=159745477 Len=1 Win=0 > 150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 > Rst Seq=924387618 Len=0 Win=0 > 150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80 > Ack=915790864 Seq=2217637423 Len=1 Win=0 > 150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 > Rst Seq=915790864 Len=0 Win=0 > > > Has anyone else seen something similar? Since this is clearly > not a DOS attack, any idea what would be the purpose of such a scan? > > Thanks for any and all help/comments. > > Sincerely, > Jon R. Kibler > Systems Architect > Advanced Systems Engineering Technology, Inc. > Charleston, SC > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 09:14:02 PST