[Dshield] Port 10/tcp scans

Ken Eichman keichman at cas.org
Thu Dec 11 15:13:25 GMT 2003

Starting around 00 GMT today my network began getting a lot of port 10/tcp
scans. This is a new one for me. So far all I've been able to capture are
empty packets, eg:

12/11-15:01:39.724609 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11835 IpLen:20 DgmLen:48 DF
******S* Seq: 0x25A5BE86  Ack: 0x0  Win: 0xFAF0  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

12/11-15:01:41.014175 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11853 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x25A5BE87  Ack: 0x38E44CF6  Win: 0xFD5C  TcpLen: 20

12/11-15:01:41.085775 -> XXX.XXX.XX.XX:10
TCP TTL:114 TOS:0x0 ID:11854 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x25A5BE88  Ack: 0x38E44CF7  Win: 0xFD5C  TcpLen: 20

Sources are mostly DSL/cablemodem networks - lots of Comcast; sources don't
appear to be spoofed addresses. Maybe a botnet?

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichman at cas.org

More information about the list mailing list