[Dshield] Strange Scan

Jon R. Kibler Jon.Kibler at aset.com
Wed Dec 28 20:09:22 GMT 2005

bpennell at coxhealthplans.com wrote:
> Can anyone tell me what's going on here?  The source address is scanning my block of public IPs.
> It's originating on port 80 and sending an ACK/RST to my entire subnet.  Anyone know what this is?
> IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=45054 PROTO=TCP SPT=80 DPT=6500 WINDOW=0 RES=0x00 ACK RST URGP=0
> IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=1517 PROTO=TCP SPT=80 DPT=17113 WINDOW=0 RES=0x00 ACK RST URGP=0

My first thought would be that this is not really a scan of your system, rather it is probably backscatter from someone forging as the source IP your addresses and performing a null scan on port 80 of the X.152.93.95 IP. As I seem to recall, the only way that you see RST+ACK messages is if a null packet (meaning no IP flags set) is sent to a closed port. You could easily verify this using:
	telnet X.152.93.95 80
and if you get 'connection reset' or 'connection timed out' you could be pretty sure that is what was happening.

Are you sure someone on your systems wasn't doing a null scan? That would be another possibility. Your outbound rules would probably let it through, but your inbound rules would probably block the response.

BTW, how is the your system configured? I am not quite sure I understand "IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0" showing as one device one place and two devices elsewhere (have to admit I am not a netfilter expert!).

Good Luck!
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list