Our IDS detected SYN Floods from 216.187.84.11 on 11/13 at 15:38 and 18:05. They were caught by our perimeter sensor and blocked by the firewall. I have also ports 9705, 6635, and 80 scans at 15:32. Our scans were not from an incrementing port # (perhaps further evidence of manual works). I'm in the process of looking at the capture files. Sent email to the intruder's admin. -----Original Message----- From: Jim Howard [mailto:Jim.Howardat_private] Sent: Wednesday, November 14, 2001 12:29 PM To: incidentsat_private Subject: port 6635 and port 9705 Somebody had asked where these scans were coming from. Just yesterday, I got scanned on both these ports at the same time from this IP: 216.187.84.11 . I have notified the parties that needed notification, but I just wanted to mention that: 1) our entire network was scanned for both from the same host, one right after the other with 9705 first, then 6635. The scans to 9705 were primarily from port 9705, where the 6635 scan was from an incrementing port #. 2) this is the first I have seen scans on these ports for some time. It sounds from what people are saying, that this may be picking up now? 3) There was a break of about 4 minutes between the scan sessions, that indicate a manual process to fire up the other scan. All scans carry the SYN flag. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 08:21:08 PST