[Dshield] Port 10/tcp scans

Ken Eichman keichman at cas.org
Thu Dec 11 15:13:25 GMT 2003


Starting around 00 GMT today my network began getting a lot of port 10/tcp
scans. This is a new one for me. So far all I've been able to capture are
empty packets, eg:

12/11-15:01:39.724609 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11835 IpLen:20 DgmLen:48 DF
******S* Seq: 0x25A5BE86  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/11-15:01:41.014175 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11853 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x25A5BE87  Ack: 0x38E44CF6  Win: 0xFD5C  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/11-15:01:41.085775 24.10.82.240:3501 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11854 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x25A5BE88  Ack: 0x38E44CF7  Win: 0xFD5C  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Sources are mostly DSL/cablemodem networks - lots of Comcast; sources don't
appear to be spoofed addresses. Maybe a botnet?

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichman at cas.org




More information about the list mailing list