[Dshield] Scans occurring in large bursts

jayjwa jayjwa at atr2.ath.cx
Wed Feb 11 21:52:38 GMT 2004



On Wed, 11 Feb 2004, Jon R. Kibler wrote:

> For about the last month or so, we have had a fairly consistent rate of port scans occurring, averaging about 10/IP/hr. This rate has varied between 2 IP/hr and 20/IP/hr. However, it has been consistent with that range.
>
> In the past few days, we have seen some wild fluctuations in these scan rates. The range seems to have expanded to be, from 2/IP/hr to 100/IP/hr. Checking the logs in detail, we see bursts where multiple ports are repeatedly scanned from multiple locations, essentially simultaneously. The ports hit vary widely, but usually include:
> 	TCP: 445, 135, 25, 80, 3127, 3128, 1080, 53, 21, 22, 111, 443, 8080, 81
> 	UDP: 1434, 137, 135, 1026
>
> These bursts are usually accompanied by a spike in ICMP "Communications Administratively Prohibited" (ICMP type 3/13) packets (usually 40 to 100 in a burst) originating from private address space (usually 10.x). In some cases, the scans are preceded by ICMP "Echo Request" (8/0) from each probing IP, but this is not consistent.
>
> Normally, I would think that someone is either nmap-ing us or running an open proxy testing program, except for the source IPs differ for each probe.
>
> We don't have any packets captured, because all of this traffic is being blocked by our border router.
>
> Any thoughts as to what is going on here?

Alot of this, now, is the DoomJuice worm, which sprays out a flurry of
SYN's when it propogates into a host. I mean a flurry too. These would
look similar to an nmap scan. It hits some of the ports in the list of
yours above. I'd assume the icmp error-codes are a result of this action,
directly or indirectly.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s+: a- C+++ UL++++ P+ L+++ E- W+++ N++ o- K- w---
O-- M-- V-- PS+++ PE Y PGP+ t- 5- X- R* tv-- b++ DI-- D-
G e h+ r% y--
------END GEEK CODE BLOCK------




More information about the list mailing list