Re: Distributed ICMP/UDP scan or attack?

From: J Jewitt (jjewitt2001at_private)
Date: Mon Jun 17 2002 - 10:30:57 PDT

Next message: Richard Ginski: "DOS by Flooding a Network"

Previous message: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
In reply to: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
Next in thread: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   Looks to me like a ping followed by a UDP connect.
Ten Extra IP addresses were probably inserted as
decoys.
   I would assert that only one of those eleven IPs
are your scanner.
   I believe that NMAP would look like this, if
configured to ping first and use ten decoys. Blocking
icmp at your firewall is a good way mitigate blind
scans.

     J Jewitt
 



--- Jason Dixon <jasondixonat_private> wrote:
> Hi all:
> 
> Please excuse me if this is a newbie question, I'm
> not sure how to go
> about searching for answers on intrustion/scanner
> patterns and the
> like.  I noticed this series of scans/connections in
> my firewall log
> this morning.  The first thing that came to mind was
> the Bind 9
> vulnerability, but there aren't any exploits
> available yet, IIRC.
> 
> As you can see, there was a series of three icmp
> queries followed by two
> unsuccessful DNS connections.  Has anyone seen this?
>  
> 
> < Jun  15  15:47:31  dc0  208.185.54.14  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:31  dc0  64.15.251.198  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:31  dc0  213.61.6.2  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:31  dc0  207.235.98.194  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:31  dc0  64.0.96.12  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:31  dc0  209.240.77.130  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:31  dc0  65.119.25.162  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:31  dc0  204.176.88.5  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:32  dc0  64.14.117.10  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:32  dc0  212.62.17.145  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:42  dc0  64.15.251.198  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:42  dc0  208.185.54.14  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:42  dc0  213.61.6.2  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:42  dc0  207.235.98.194  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:42  dc0  64.0.96.12  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:42  dc0  209.240.77.130  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:42  dc0  204.176.88.5  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:42  dc0  65.119.25.162  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:43  dc0  64.14.117.10  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:43  dc0  212.62.17.145  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:52  dc0  208.185.54.14  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:52  dc0  64.15.251.198  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:52  dc0  213.61.6.2  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:52  dc0  207.235.98.194  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:52  dc0  64.0.96.12  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:52  dc0  209.240.77.130  -> 
> x.x.x.x  icmp
> < Jun  15  15:47:52  dc0  65.119.25.162  ->  x.x.x.x
>  icmp
> < Jun  15  15:47:52  dc0  204.176.88.5  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:52  dc0  64.14.117.10  ->  x.x.x.x 
> icmp
> < Jun  15  15:47:53  dc0  212.62.17.145  ->  x.x.x.x
>  icmp
> < Jun  15  15:48:01  dc0  208.185.54.14,1687  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:01  dc0  64.15.251.198,32865  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:01  dc0  213.61.6.2,17613  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:01  dc0  207.235.98.194,54613  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:01  dc0  64.0.96.12,50831  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:02  dc0  209.240.77.130,39805  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:02  dc0  65.119.25.162,3058  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:02  dc0  204.176.88.5,8329  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:02  dc0  64.14.117.10,4502  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:02  dc0  212.62.17.145,54557  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  64.15.251.198,32865  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  208.185.54.14,1687  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  213.61.6.2,17613  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  207.235.98.194,54613  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  64.0.96.12,50831  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  209.240.77.130,39805  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  65.119.25.162,3058  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:11  dc0  204.176.88.5,8329  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:12  dc0  64.14.117.10,4502  -> 
> x.x.x.x,53  udp
> < Jun  15  15:48:12  dc0  212.62.17.145,54557  -> 
> x.x.x.x,53  udp
> 
> -- 
> Jason Dixon
> RHCE
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard Ginski: "DOS by Flooding a Network"
Previous message: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
In reply to: Jason Dixon: "Distributed ICMP/UDP scan or attack?"
Next in thread: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 13:04:38 PDT