Strange TCP Sweep to 0.0.0.0

From: Geoff Poer (gpoerat_private)
Date: Fri Nov 09 2001 - 09:34:30 PST

Next message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"

Previous message: J Jewitt: "Need Incident Handling Process Framework"
Next in thread: jared mc: "Re: Strange TCP Sweep to 0.0.0.0"
Reply: jared mc: "Re: Strange TCP Sweep to 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our Cisco Secure IDS (that lives outside the firewall) is picking up
some strange traffic off one of our Netscreen Firewalls.  The Src
addresses are the un-trusted interface addresses assigned to the
Netscreen. Has any one seen something like this before? Is it a bug
or am I seeing something interesting?

Date Sensor Signature Sub Sig Description Severity Src Address Src
Port Dst Address Dst Port
2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028
0.0.0.0 0 
2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610
0.0.0.0 0 
2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100
0.0.0.0 0 
2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058
0.0.0.0 0 
2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707
0.0.0.0 0 
2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133
0.0.0.0 0 
2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959
0.0.0.0 0 
2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448
0.0.0.0 0
- --------Cut--------

(other address assigned to interface)
2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886
0.0.0.0 0 
2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197
0.0.0.0 0 
2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779
0.0.0.0 0 
2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152
0.0.0.0 0 
2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286
0.0.0.0 0

What ever it is it is not terribly fast. The dates are inconsistent
in this email but they are actually occurring everyday with similar
frequency.

thanks,
Geoff

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p
iesT5XGxthCxSARQdCQYKpaL
=Zj26
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"
Previous message: J Jewitt: "Need Incident Handling Process Framework"
Next in thread: jared mc: "Re: Strange TCP Sweep to 0.0.0.0"
Reply: jared mc: "Re: Strange TCP Sweep to 0.0.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 09:47:56 PST