Should and Is, are totally different stories. We receive on our external interfaces about 1000 of these packets/day, and I can actually trace these at times.. but for the past 2 years, I have just blocked them from entering the network. I think it's a great deal of misconfigured routers and NAT's.. And wishing for ISPs or upstreams to block anything, as one cartoon put it, "Don't you belive it", only because they rarely do, even for common packet problems, or they would even add filters to prevent DoS's from going from their network (oh dream of dreams), this alone by everyone, would make life easier for all of us. Jason On 9 Nov 2001 at 10:58, Keith.Morgan wrote: From: "Keith.Morgan" <Keith.Morganat_private> To: "'Jon.Kiblerat_private'" <Jon.Kiblerat_private> Copies to: "'incidentsat_private'" <incidentsat_private> Subject: RE: Strange "port scans" from a spoofed IP Date sent: Fri, 9 Nov 2001 10:58:10 -0500 Mailer: Internet Mail Service (5.5.2653.19) > I'm not sure where this may be coming from, or why, but I can say that it > indicates a problem. I'm not sure of the target machine's situation, > posture, or any details, but, as a general rule, these packets should be > silently dropped. There should be no response sent by your machine or > network to rfc1918 address space (eg, 192.168.0.0/16). Perimeter firewalls > and upstream routers should silently drop private address space packets > arriving on external interfaces. > > > > -----Original Message----- > > From: Jon R. Kibler [mailto:Jon.Kiblerat_private] > > Sent: Monday, November 05, 2001 6:37 PM > > To: incidentsat_private > > Subject: Strange "port scans" from a spoofed IP > > > > > > Earlier today we started noticing a rather strange "port > > scan" from two different spoofed IP addresses. Both claim to > > originate from port 80 and have a fixed destination based > > upon originating IP, as follows: > > 192.168.19.82 has destination port 11709 > > 192.168.19.81 has destination port 13607 > > > > The "scans" repeat every 61 seconds. They have been running > > non-stop since sometime late yesterday. Here is an example > > from snoop of the traffic in question: > > > > 150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80 > > Ack=924387618 Seq=159745477 Len=1 Win=0 > > 150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 > > Rst Seq=924387618 Len=0 Win=0 > > 150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80 > > Ack=915790864 Seq=2217637423 Len=1 Win=0 > > 150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 > > Rst Seq=915790864 Len=0 Win=0 > > 150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80 > > Ack=924387618 Seq=159745477 Len=1 Win=0 > > 150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 > > Rst Seq=924387618 Len=0 Win=0 > > 150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80 > > Ack=915790864 Seq=2217637423 Len=1 Win=0 > > 150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 > > Rst Seq=915790864 Len=0 Win=0 > > 150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80 > > Ack=924387618 Seq=159745477 Len=1 Win=0 > > 150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 > > Rst Seq=924387618 Len=0 Win=0 > > 150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80 > > Ack=915790864 Seq=2217637423 Len=1 Win=0 > > 150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 > > Rst Seq=915790864 Len=0 Win=0 > > 150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80 > > Ack=924387618 Seq=159745477 Len=1 Win=0 > > 150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 > > Rst Seq=924387618 Len=0 Win=0 > > 150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80 > > Ack=915790864 Seq=2217637423 Len=1 Win=0 > > 150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 > > Rst Seq=915790864 Len=0 Win=0 > > 150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80 > > Ack=924387618 Seq=159745477 Len=1 Win=0 > > 150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 > > Rst Seq=924387618 Len=0 Win=0 > > 150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80 > > Ack=915790864 Seq=2217637423 Len=1 Win=0 > > 150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 > > Rst Seq=915790864 Len=0 Win=0 > > > > > > Has anyone else seen something similar? Since this is clearly > > not a DOS attack, any idea what would be the purpose of such a scan? > > > > Thanks for any and all help/comments. > > > > Sincerely, > > Jon R. Kibler > > Systems Architect > > Advanced Systems Engineering Technology, Inc. > > Charleston, SC > > > > -------------------------------------------------------------- > > -------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Network/Security Analyst jasonat_private http://www.ifuture.com, http://www.astroadvice.com, http://www.astroeast.com Also if you are looking for an employee, I may be available soon, so feel free to contact me for my resume. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 09:37:19 PST