[Dshield] Weird scanning, weird ports, weird TCP flags..

Nick Harley nickharley at bcbsal.org
Thu Oct 23 18:21:26 GMT 2003

This is a bit of a newbie question but I don't understand your range
notation: "private address space and ranges like: 0/8, 1/8, 126/8, etc."
Can anyone tell me how this works? I've seen it in other places as well
but no one's really been able to give a good explanation.

>>> Jon.Kibler at aset.com 10/23/2003 11:20:33 AM >>>
Tom Liston wrote:
> Hash: SHA1
> It sounds like you're seeing is what is known as "back-scatter."
> This is caused when someone attacks a machine on the internet using
> IP address as a source on a spoofed packet.  Normally this is part of
> denial of service attack.  The attacked machine is responding back to
> IP address with a SYN-ACK or RST-ACK in response to a spoofed inbound
> - -TL

We too have been seeing a lot of apparent scanning on 'strange' TCP and
UDP ports (ports > 32k) and thought that it was backscatter. However,
upon closer analysis, most of these garbage packets are coming from
bogus IPs (private address space and ranges like: 0/8, 1/8, 126/8, etc.)
and we are only seeing a few per port.

The amount of the garbage traffic has grown in the past week or two
from one or two a day ports per day (fairly constant for the past few
years) to now we are seeing dozens or more a day. A few are from legit
IPs and are probably backscatter -- but anyone have any ideas about the
rest coming from bogus IPs?

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

This e-mail is intended for the sole use of the individual(s) to whom it is
addressed, and may contain information that is privileged, confidential and
exempt from disclosure under applicable law.  You are hereby notified that any
dissemination, duplication, or distribution of this transmission by someone
other than the intended addressee or its designated agent is strictly
prohibited.  If you receive this e-mail in error, please notify me immediately
by replying to this e-mail.

More information about the list mailing list