RE: New DNS connection with SYN ACK

From: Keith T. Morgan (keith.morganat_private)
Date: Mon Jan 14 2002 - 09:30:23 PST

  • Next message: Christopher X. Candreva: "RE: Matt Wright FormMail Attacks"

    Search the archives for this one.  We've been over this a few times.  Likely someone is using cisco's content-redirector software.  I don't remember the details, but the archives should have several threads regarding this type of activity.  Most likely this is not spoofed scans.
    
    
    -----Original Message-----
    From: Cloppert, Michael [mailto:Michael.Cloppertat_private]
    Sent: Monday, January 14, 2002 10:22 AM
    To: 'incidentsat_private'
    Subject: RE: New DNS connection with SYN ACK
    
    
    Could it be that you've been been decoy addresses in a portscan?
    
    For instance, hacker (H) wants to attack A.  Hacker finds B and C that are
    legit, so hacker sends a portscan from H, B, and C to A.  The effect of this
    is that the analyst at A doesn't know which is the real portscanner (or in
    this case scanner for port 53).  What B and C see are the responses of the
    initial SYN sent to A, since A will be responding to both H, B, and C
    thinking that they're legit TCP initiation requests.
    
    HTH.  Anyone else have any ideas?
    
    Mike Cloppert
    
    > -----Original Message-----
    > From: Richard Arends [mailto:richardat_private]
    > Sent: Friday, January 11, 2002 1:47 PM
    > To: Jerry Perser
    > Cc: incidentsat_private
    > Subject: Re: New DNS connection with SYN ACK
    > 
    > 
    > On 11 Jan 2002, Jerry Perser wrote:
    > 
    > > Here are the 19 ip addresses:
    > >
    > > 128.121.10.146 128.242.105.34
    > > 	129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150
    > > 	202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42
    > > 216.33.35.214
    > > 	216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34
    > > 	64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14
    > 
    > I'm getting scans for port 53 from the same ip's !
    > 
    > Greetings,
    > 
    > Richard.
    > 
    > ----
    > An OS is like swiss cheese, the bigger it is, the more holes you get!
    > 
    > 
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 10:46:29 PST