There has been some sort of change in the window=55808 traffic - either in
some interaction with the target or in what the prober is trying to do. (Or
security researchers are probing around with bogus traffic similar to the
covert channel).
The primary prober (one to one prober) has suddenly changed the IP ID after
maintaining a constant number to my target since May 17th as far as I have
noticed.
Two "agents" (one to many probers) also sent sequence numbers that are
different from that used by every single previous packet from all sources to
my target.
Is anyone else seeing a departure from the norm of these probes starting
today?
Ken Eichman wrote Monday, June 09, 2003 3:58 PM
> We're seeing a around 100-200 "agents" (as you call them) here. I also
> concluded that the one-to-one source-to-destination probers are spoofed
> (i.e, your "primary prober"),and I've been looking at the one-to-many
probers
> ("agents") as the interesting traffic. Presently each of these ~100
> probers are our /16 network anywhere from once/minute (the most active
> prober) to once every 1-3 hours. As you found, these addresses are
> dominated by cable/DSL/broadband providers. Another common thread is that
> many (but not all) of them have open netbios port(s), primarily 135/tcp.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 10:22:11 PDT