[Dshield] Scans occurring in large bursts

Pete Cap peteoutside at yahoo.com
Wed Feb 11 18:14:49 GMT 2004


Jon,
 
I have been wondering about this lately as well.
 
Let me propose a hypothetical for the list...
You have 10 hosts which you're monitoring.
Each of them gets ALL of its ports probed on a daily basis...but the IP addresses are always different or almost always different.
How can you decide if you're being steadily mapped?
How easy is it for someone to change his IP address if it's assigned by an ISP or somesuch?
 
Regards,
 
Pete

"Jon R. Kibler" <Jon.Kibler at aset.com> wrote:
Hello all,

For about the last month or so, we have had a fairly consistent rate of port scans occurring, averaging about 10/IP/hr. This rate has varied between 2 IP/hr and 20/IP/hr. However, it has been consistent with that range. 

In the past few days, we have seen some wild fluctuations in these scan rates. The range seems to have expanded to be, from 2/IP/hr to 100/IP/hr. Checking the logs in detail, we see bursts where multiple ports are repeatedly scanned from multiple locations, essentially simultaneously. The ports hit vary widely, but usually include:
TCP: 445, 135, 25, 80, 3127, 3128, 1080, 53, 21, 22, 111, 443, 8080, 81
UDP: 1434, 137, 135, 1026

These bursts are usually accompanied by a spike in ICMP "Communications Administratively Prohibited" (ICMP type 3/13) packets (usually 40 to 100 in a burst) originating from private address space (usually 10.x). In some cases, the scans are preceded by ICMP "Echo Request" (8/0) from each probing IP, but this is not consistent.

Normally, I would think that someone is either nmap-ing us or running an open proxy testing program, except for the source IPs differ for each probe.

We don't have any packets captured, because all of this traffic is being blocked by our border router.

Any thoughts as to what is going on here?

--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list


---------------------------------
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online


More information about the list mailing list