A few more data points: This scan has targeted every /24 in a /20 here. While the third and fourth octets appear random, there are a couple interesting things: 1) 1460 unique IPs have been targeted out of 2321 total deny entries. There is some duplication of effort. 2) Thus far none of the dst IPs have been above the /25 boundary in each /24. If the fourth octet scan is actually limited to 0-127, then ~70% of the possible targets here have been chosen at least once. A time distribution sample across the 4th octet looks like this: Nov 1 07:56:54 MST x.y.92.0 Nov 1 12:44:08 MST x.y.83.0 Nov 1 15:59:31 MST x.y.84.0 Nov 1 17:10:40 MST x.y.80.0 Nov 1 23:02:18 MST x.y.91.0 Nov 1 23:03:11 MST x.y.81.0 Nov 2 16:24:15 MST x.y.91.0 Nov 2 18:10:17 MST x.y.95.0 Nov 2 22:24:18 MST x.y.86.0 Nov 3 12:09:46 MST x.y.85.0 Nov 4 07:26:20 MST x.y.84.0 Nov 4 19:10:54 MST x.y.94.0 Nov 4 20:38:13 MST x.y.85.0 Nov 4 21:15:37 MST x.y.84.0 Across the 3rd octet it looks like this: Nov 4 00:27:30 MST x.y.84.119 Nov 4 00:41:48 MST x.y.84.61 Nov 4 00:57:01 MST x.y.84.18 Nov 4 02:03:55 MST x.y.84.88 Nov 4 02:26:48 MST x.y.84.41 Nov 4 02:46:15 MST x.y.84.98 Nov 4 05:06:20 MST x.y.84.2 Nov 4 05:24:50 MST x.y.84.51 Nov 4 06:09:48 MST x.y.84.7 Nov 4 06:30:17 MST x.y.84.50 Nov 4 07:20:39 MST x.y.84.110 Nov 4 07:25:42 MST x.y.84.69 Nov 4 07:26:20 MST x.y.84.0 Nov 4 08:13:32 MST x.y.84.55 Nov 4 08:25:58 MST x.y.84.46 Nov 4 10:54:05 MST x.y.84.4 Nov 4 11:32:05 MST x.y.84.87 Nov 4 12:28:25 MST x.y.84.117 Nov 4 12:38:27 MST x.y.84.91 Also, our logs show only a single packet denied in every instance. Perhaps the payload is intended to DoS the victim per this: http://online.securityfocus.com/archive/1/256830 Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 05 2002 - 08:41:18 PST