[Dshield] UDP scans of 18000+ ports

Pete Cap peteoutside at yahoo.com
Tue Feb 3 15:53:19 GMT 2004


Someone is probably performing reconnaissance against your client.
53 is associated with DNS (check out RFC 2929) but if you're seeing a sudden spike in progressive scans on ephemeral ports--yeah, that's probably illicit.
 
What he's going to try to do is infer information about your network based on responses he gets from his scanning (e.g. host/port unreachable messages, response to weird packets, etc.).  Even a lack of response is an indicator--that a firewall is present.
 
You have some data on him right now:
One, you know SOMEONE is interested.  So ask yourself "who?", and "in what?", and "why?"
Two, if they are just beginning these scans then they probably don't have anyone helping them on the inside,
Three, if it's noisy enough to alert you, then you're probably not dealing with an advanced attacker.

 
I suggest you do two things:
 
First, perform a little risk assessment in your head--balance the risk to your enterprise if that machine is compromised (what data does it store?  what else on the network can it access?) versus how much protection it already has...I'm sure you don't need to be advised to make sure you're all patched up.  No firewall is airtight--you have to stay on it.
 
Second, capture some of those scans and post them to the list.  There are enough "packet ninjas" listening that someone will probably be able to tell you if the traffic is malformed (and thus crafted...sometimes you can tell what exploit programs someone is using).
 
Best of luck,
 
Pete

traef06 RAEF <traef06 at msn.com> wrote:
I realize all these were blocked but I'm trying to learn about what they're 
searching for. Anyone with "useful" information please reply.

I see the source port is 53 and the dest port is in the higher 18100+ range. 
What are looking for?
Also drill down toward the bottom and see that this client started getting 
TCP FIN attempts to high ports.

This firewall has been operational for over a year and these just started 
yesterday.

Thank you in advance for all useful answers.

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!


More information about the list mailing list