On Thu, Feb 13, 2003, Chris Brenton wrote: > On Thu, 2003-02-13 at 17:35, Neil Dickey wrote: > > > > I have noticed what appears to be a new ( to me, anyway ) > > sort of scan in my Snort logs, which are appended below. > > Doubtful this is a some kind of a scan. These are ICMP type 3 > packets, which never stimulate a response. This means that > whether it reached your internal host, or got blocked by a > firewall, no reply would be returned. No reply means that its > not very useful as a scan. This also rules out you being the > quiet host end of an idle scan. At first I thought it might be the after-effects of an nmap idle scan actually. That is, instead of RSTs (unfiltered traffic) you are seeing ICMP (3, 13) indicating the traffic to the destination is filtered. But the source port in the original packets do not meet my expectations. So I'm doubtful it was that. If there's a way for nmap to perform an idle scan using randomized source ports off a zombie, then just maybe... > > I'm getting a "Dest. Unreach." signal from an educational > > network in Beijing, China, that arrived at a time when > > no-one was using the boxes from which the TCP sessions were > > supposed to have originated. > > Just because no one is in your office, does not mean that no > one is using your systems. ;-) So true <g> > > Eight different machines at our site were involved, > > including unix boxes, printers, and PCs. > > Based on this info, I'm leaning towards someone is spoofing > your address space (maybe decoy packets?). Reasoning is below. Your reasoning (snipped) is sound. And I think I agree. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 20:58:38 PST