[Dshield] Scans occurring in large bursts

Stephane Grobety security at admin.fulgan.com
Thu Feb 12 09:07:51 GMT 2004


JRK> I thought about a decoy nmap scan, but it left me without an
JRK> explanation for the ICMP 3/31 traffic that seems related. Also,
JRK> it appears to be scans more oriented towards finding open proxy
JRK> servers (except for the 53/tcp and 111/tcp probes).

Well, without knowing your configuration, I would hazard that it could
simply be the machine scanned sending back a SYN-ACK packet back to
the decoy IP. The ICMP traffic you're seeing is simply the target
network telling your machine that it doesn't want your packets.

That being said, the decoy technique is not specific to namp: it's
rather trivial to implement it on another scanner.

JRK> I was hoping that someone else would say, "yes, I've seen that
JRK> and snort says it is...". Unfortunately, we run snort behind the
JRK> router so it does us no good in this case.

Unfortunately, I can't help you there. The only thing in my logs that
could be remotely related to your situation is the strange SMT
connections I see on my mail server: several completely unrelated
machines connecting in a very short time frame (10-20 seconds),
grabbing the banner and disconnecting. These machine are from
different networks all over the planet (well, the networks that aren't
automatically denied SMTP connection, that is) and they do complete
the 3 way handshake so they are not spoofed.

Good luck,
Stephane




More information about the list mailing list