[Dshield] Weird scanning, weird ports, weird TCP flags..

Dale Clapperton (lists) lists at blackbird.net.au
Wed Oct 22 06:20:20 GMT 2003

Hi all

I've recently found some very weird traffic which seems to be scanning
our network for something.

It's coming from two addresses in the one /24, of a hosting provider in
the states.  Based on the SMTP banner on one of them, at least one is a
Windows machine.  The source port is always port 80.

The destination IPs are random addresses within our network, most of
which are unused.  The destination ports seem random but in the range
(approx) of 1000-5000.

The flow records show that the packets have either the SYN and ACK flags
set, or RST and ACK.  There doesnt seem to be a particular pattern to
it.  All the other TCP scanning into our network has only the SYN flag
set, as you would expect for normal port scanning.

Does anyone have an idea what this could be??


Dale Clapperton (lists) <lists at blackbird.net.au>

More information about the list mailing list