Hello, Starting slightly over a week ago, we've started seeing what looks like coordinated distributed scans. We've seen four or five of them come across our class B in that time. Each time, somewhere around eighty systems scan our network. Each IP seems to scan about a thousand machines on our network, all within the same basic time period (within a few minutes of each other). The scans have either been for ftp or ssh. Normally, I'd expect that it was the nmap decoy mode. However, three things seem to indicate that this isn't the case: first, the scans have complete TCP connections -- full handshakes are made. Second, each IP is scanning a slightly different part of our network. Third, we've reported some of these to the sources and gotten confirmations that the machines we saw the scans come from were compromised. I'm guessing that there's a new tool out there. Anyone else seeing this sort of activity? Anyone have a copy of the tool? -Larry --- E. Larry Lidz Phone: (773)702-2208 Sr. Network Security Officer Fax: (773)834-8444 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 16:06:01 PST