Strange TCP Sweep to 0.0.0.0

From: Geoff Poer (gpoerat_private)
Date: Fri Nov 09 2001 - 09:34:30 PST

  • Next message: Dave Dittrich: "Analysis of SSH crc32 compensation attack detector exploit"

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Our Cisco Secure IDS (that lives outside the firewall) is picking up
    some strange traffic off one of our Netscreen Firewalls.  The Src
    addresses are the un-trusted interface addresses assigned to the
    Netscreen. Has any one seen something like this before? Is it a bug
    or am I seeing something interesting?
    
    Date Sensor Signature Sub Sig Description Severity Src Address Src
    Port Dst Address Dst Port
    2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028
    0.0.0.0 0 
    2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610
    0.0.0.0 0 
    2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100
    0.0.0.0 0 
    2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058
    0.0.0.0 0 
    2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707
    0.0.0.0 0 
    2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133
    0.0.0.0 0 
    2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959
    0.0.0.0 0 
    2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448
    0.0.0.0 0
    - --------Cut--------
    
    (other address assigned to interface)
    2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886
    0.0.0.0 0 
    2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197
    0.0.0.0 0 
    2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779
    0.0.0.0 0 
    2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152
    0.0.0.0 0 
    2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286
    0.0.0.0 0
    
    What ever it is it is not terribly fast. The dates are inconsistent
    in this email but they are actually occurring everyday with similar
    frequency.
    
    thanks,
    Geoff
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p
    iesT5XGxthCxSARQdCQYKpaL
    =Zj26
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 09:47:56 PST