[Dshield] Strange Scan

Pete Cap peteoutside at yahoo.com
Wed Dec 28 19:21:46 GMT 2005

bpennell at coxhealthplans.com wrote: Can anyone tell me what's going on here?  The source address is scanning my block of public IPs.  

It's originating on port 80 and sending an ACK/RST to my entire subnet.  Anyone know what this is?

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=45054 PROTO=TCP SPT=80 DPT=6500 WINDOW=0 RES=0x00 ACK RST URGP=0

 The first possibility that springs to mind is that you are seeing backscatter from an ongoing DOS where someone is spoofing your IP addresses.  I think the variability in destination ports supports this versus some kind of reset/ack scan, unless the packets are coming in so fast that the remote actor could plausibly be trying scan your subnet.  If it were a scan, I think you would expect him to just look for some specific ports instead of randomly trying all possible ports.
 Another (remote) possibility is that there is some malware on your network receiving instructions via a covert channel, for instance in the IP ID or ISN fields. You didn't post the timestamps, but if this were the case you might see some regularity in the interval between packets.  For more info check out http://www.firstmonday.org/issues/issue2_5/rowland/.  Check out your network devices and make sure nothing is running in promiscuous mode that shouldn't be.
 Other things that stick out are the constant ttl (112) and window size (0).  I'm not sure if you would always expect a window size of 0 with a RST packet, or not--maybe some of the packet ninjas on the list can help you out with that.

 Yahoo! DSL Something to write home about. Just $16.99/mo. or less

More information about the list mailing list