[Dshield] Scans occurring in large bursts

Jon R. Kibler Jon.Kibler at aset.com
Wed Feb 11 20:51:11 GMT 2004


Stephane Grobety wrote:
> 
> JRK> Normally, I would think that someone is either nmap-ing us or
> JRK> running an open proxy testing program, except for the source IPs
> JRK> differ for each probe.
> 
> My bet would be that someone is NMapping you using the -D (decoy)
> option. In short, it's sending a large range of packets with dummy
> source IP (provided by the command-line) in order to hide the one true
> IP in the list: the one of the attacker.
> 
> That's of course, only a possibility.
> 
> Good luck,
> Stephane
> 

I thought about a decoy nmap scan, but it left me without an explanation for the ICMP 3/31 traffic that seems related. Also, it appears to be scans more oriented towards finding open proxy servers (except for the 53/tcp and 111/tcp probes).

I was hoping that someone else would say, "yes, I've seen that and snort says it is...". Unfortunately, we run snort behind the router so it does us no good in this case.

--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list