[Dshield] Weird scanning, weird ports, weird TCP flags..

Jon R. Kibler Jon.Kibler at aset.com
Thu Oct 23 16:20:33 GMT 2003


Tom Liston wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> It sounds like you're seeing is what is known as "back-scatter."
> 
> This is caused when someone attacks a machine on the internet using your
> IP address as a source on a spoofed packet.  Normally this is part of a
> denial of service attack.  The attacked machine is responding back to your
> IP address with a SYN-ACK or RST-ACK in response to a spoofed inbound SYN.
> 
> - -TL

We too have been seeing a lot of apparent scanning on 'strange' TCP and UDP ports (ports > 32k) and thought that it was backscatter. However, upon closer analysis, most of these garbage packets are coming from bogus IPs (private address space and ranges like: 0/8, 1/8, 126/8, etc.) and we are only seeing a few per port.

The amount of the garbage traffic has grown in the past week or two from one or two a day ports per day (fairly constant for the past few years) to now we are seeing dozens or more a day. A few are from legit IPs and are probably backscatter -- but anyone have any ideas about the rest coming from bogus IPs?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list