This could be any number of tools, as most scanners allow for control of speed and/or randomization of target ports, mainly for the purposes if IDS evasion. Keeping in mind that there are two common ways to evade an IDS: go so slow that it doesn't think anything is wrong, or go so fast that the sensor is overwhelmed and drops packets. This fellow may be trying to overwhelm the sensor by scanning at such a rapid rate that packets are dropped from the buffer before the IDS generates an alert. Or, it could simply have been someone who thought that "nmap -T Insane" would get the job done faster (only an example, as I haven't studied this for any tool-related pattern). Kids these days are impatient. Cheers Keith -----Original Message----- From: Ken Hodges [mailto:khodgesat_private] Sent: Thursday, May 09, 2002 1:30 PM To: incidentsat_private Subject: Strange "shotgun" scan Has anyone seen this type of scan before? I received close to 10K scans during a 15 minute period. It appears that the person was scanning totally random ports on all of my IP range. Just curious if it is some known program, or if anyone has seen this before. Thanks. Ken. May 8 18:56:26 24.165.73.85:2070 -> 206.40.XXX.XXA:394 SYN 12****S* May 8 18:56:26 24.165.73.85:2071 -> 206.40.XXX.XXA:478 SYN 12****S* May 8 18:56:26 24.165.73.85:2072 -> 206.40.XXX.XXA:770 SYN 12****S* May 8 18:56:26 24.165.73.85:2073 -> 206.40.XXX.XXA:350 SYN 12****S* May 8 18:56:26 24.165.73.85:2074 -> 206.40.XXX.XXA:126 SYN 12****S* May 8 18:56:26 24.165.73.85:2075 -> 206.40.XXX.XXA:3462 SYN 12****S* May 8 18:56:26 24.165.73.85:2076 -> 206.40.XXX.XXA:1003 SYN 12****S* May 8 18:56:26 24.165.73.85:2077 -> 206.40.XXX.XXA:1546 SYN 12****S* May 8 18:56:26 24.165.73.85:2078 -> 206.40.XXX.XXA:980 SYN 12****S* May 8 18:56:26 24.165.73.85:2079 -> 206.40.XXX.XXA:680 SYN 12****S* May 8 18:56:27 24.165.73.85:2100 -> 206.40.XXX.XXA:819 SYN 12****S* May 8 18:56:27 24.165.73.85:2101 -> 206.40.XXX.XXA:749 SYN 12****S* May 8 18:56:27 24.165.73.85:2102 -> 206.40.XXX.XXA:727 SYN 12****S* May 8 18:56:27 24.165.73.85:2103 -> 206.40.XXX.XXA:412 SYN 12****S* May 8 18:56:27 24.165.73.85:2104 -> 206.40.XXX.XXA:5432 SYN 12****S* May 8 18:56:27 24.165.73.85:2105 -> 206.40.XXX.XXA:554 SYN 12****S* May 8 18:56:27 24.165.73.85:2106 -> 206.40.XXX.XXA:1989 SYN 12****S* May 8 18:56:27 24.165.73.85:2107 -> 206.40.XXX.XXA:460 SYN 12****S* May 8 18:56:27 24.165.73.85:2108 -> 206.40.XXX.XXA:696 SYN 12****S* May 8 18:56:27 24.165.73.85:2109 -> 206.40.XXX.XXA:1998 SYN 12****S* May 8 18:56:28 24.165.73.85:2130 -> 206.40.XXX.XXA:867 SYN 12****S* May 8 18:56:28 24.165.73.85:2131 -> 206.40.XXX.XXA:776 SYN 12****S* May 8 18:56:28 24.165.73.85:2132 -> 206.40.XXX.XXA:799 SYN 12****S* May 8 18:56:28 24.165.73.85:2133 -> 206.40.XXX.XXA:1419 SYN 12****S* May 8 18:56:28 24.165.73.85:2134 -> 206.40.XXX.XXA:970 SYN 12****S* May 8 18:56:28 24.165.73.85:2135 -> 206.40.XXX.XXA:20 SYN 12****S* May 8 18:56:28 24.165.73.85:2136 -> 206.40.XXX.XXA:67 SYN 12****S* And it goes on and on.... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 09 2002 - 12:17:19 PDT