[Dshield] Scans occurring in large bursts
Jon R. Kibler
Jon.Kibler at aset.com
Wed Feb 11 17:38:14 GMT 2004
For about the last month or so, we have had a fairly consistent rate of port scans occurring, averaging about 10/IP/hr. This rate has varied between 2 IP/hr and 20/IP/hr. However, it has been consistent with that range.
In the past few days, we have seen some wild fluctuations in these scan rates. The range seems to have expanded to be, from 2/IP/hr to 100/IP/hr. Checking the logs in detail, we see bursts where multiple ports are repeatedly scanned from multiple locations, essentially simultaneously. The ports hit vary widely, but usually include:
TCP: 445, 135, 25, 80, 3127, 3128, 1080, 53, 21, 22, 111, 443, 8080, 81
UDP: 1434, 137, 135, 1026
These bursts are usually accompanied by a spike in ICMP "Communications Administratively Prohibited" (ICMP type 3/13) packets (usually 40 to 100 in a burst) originating from private address space (usually 10.x). In some cases, the scans are preceded by ICMP "Echo Request" (8/0) from each probing IP, but this is not consistent.
Normally, I would think that someone is either nmap-ing us or running an open proxy testing program, except for the source IPs differ for each probe.
We don't have any packets captured, because all of this traffic is being blocked by our border router.
Any thoughts as to what is going on here?
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list