[Intrusions] A scan I've never seen before...

Jeff Kell jeff-kell at utc.edu
Wed Jul 6 19:43:11 GMT 2005


I just discovered a scan of a chunk (a /19 worth) of our address space with something I've never seen before.  Any hints would be appreciated.

The scans were blocked by an ingress filter, but with an unusual, out-of-place log message (Cisco):

> Jul  6 15:00:27.814 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.132 1 packet
> Jul  6 15:00:28.994 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.137 1 packet  [...]

Normally I would expect a "list ingress denied [tcp|udp|protocol#] source(port) -> dest(port)" type message, but this only listed the destination address and no clue what was hitting it.  I cobbled together a pcap for later analysis (I can send to anyone who needs further information to decrypt).  A quick look with ethereal shows:

A source in Venezuela...

Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".

Tcpdump of a couple (obfuscated destination addresses):

> 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.180:  ip 48
>         0x0000:  4500 0044 fabc 0000 7600 5ccc 96bb 090b  E..D....v.\.....
>         0x0010:  1122 b6b4 4500 2d00 0000 0000 8006 0000  ....E.-.........
>         0x0020:  0000 0000 96b6 b6b4 05e4 01bd 0100 0000  ................
>         0x0030:  0000 0000 7002 faf0 3223 0000 0204 05b4  ....p...2#......
>         0x0040:  0101 0402                                ....
> 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.181:  ip 48
>         0x0000:  4500 0044 fbbc 0000 7600 5bcb 96bb 090b  E..D....v.[.....
>         0x0010:  1122 b6b5 4500 2d00 0000 0000 8006 0000  ....E.-.........
>         0x0020:  0000 0000 96b6 b6b5 05e4 008b 0100 0000  ................
>         0x0030:  0000 0000 7002 faf0 3354 0000 0204 05b4  ....p...3T......
>         0x0040:  0101 0402                                ....

Clues?  New script kiddie?

Jeff




More information about the Intrusions mailing list