[Dshield] Strange Scan

TRushing@hollandco.com TRushing at hollandco.com
Wed Dec 28 20:27:39 GMT 2005


Assuming that you are not sending the packets in question, the most likely 
explanation is that someone else is spoofing your IP as a part of DDOS 
packets directed at the x.152.93.95 machine.  What you are seeing is the 
blowback of that as that machine tells you, "I'm too busy to talk right 
now, closing the connection down."

Since it is a DDOS, spoofing suffices for the attackers purpose.  It also 
makes it more difficult to track down where the attack is coming from.

Tim Rushing





<bpennell at coxhealthplans.com> 
Sent by: list-bounces at lists.dshield.org
12/28/2005 12:35 PM
Please respond to
General DShield Discussion List <list at lists.dshield.org>


To
<list at lists.dshield.org>
cc

Subject
[Dshield] Strange Scan






Can anyone tell me what's going on here?  The source address is scanning 
my block of public IPs. 

It's originating on port 80 and sending an ACK/RST to my entire subnet. 
Anyone know what this is?

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=45054 PROTO=TCP SPT=80 DPT=6500 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=1517 PROTO=TCP SPT=80 DPT=17113 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.90 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=40373 PROTO=TCP SPT=80 DPT=93 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=59506 PROTO=TCP SPT=80 DPT=8060 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=13926 PROTO=TCP SPT=80 DPT=14303 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.74 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=294X PROTO=TCP SPT=80 DPT=7538 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=1344 PROTO=TCP SPT=80 DPT=1601 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=56730 PROTO=TCP SPT=80 DPT=4333 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.82 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=7318 PROTO=TCP SPT=80 DPT=24 WINDOW=0 
RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=18953 PROTO=TCP SPT=80 DPT=56 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.83 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=43877 PROTO=TCP SPT=80 DPT=2895 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=27816 PROTO=TCP SPT=80 DPT=5696 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=48158 PROTO=TCP SPT=80 DPT=307X 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.95 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=41638 PROTO=TCP SPT=80 DPT=7406 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.85 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=15282 PROTO=TCP SPT=80 DPT=91 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.83 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=7804 PROTO=TCP SPT=80 DPT=14978 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 
LEN=40 TOS=0x14 PREC=0x00 TTL=112 ID=43695 PROTO=TCP SPT=80 DPT=1884 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.89 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=7754 PROTO=TCP SPT=80 DPT=13389 
WINDOW=0 RES=0x00 ACK RST URGP=0

IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.66 
LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=63012 PROTO=TCP SPT=80 DPT=24 
WINDOW=0 RES=0x00 ACK RST URGP=0



_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own 
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list