[Dshield] Strange Scan

Jean-Philippe Luiggi jp.luiggi at free.fr
Thu Dec 29 15:57:49 GMT 2005


On Wed, Dec 28, 2005 at 12:35:56PM -0600, bpennell at coxhealthplans.com wrote:
> Can anyone tell me what's going on here?  The source address is scanning my block of public IPs.  
> 
> It's originating on port 80 and sending an ACK/RST to my entire subnet.  Anyone know what this is?
> 
> IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=X.152.93.95 DST=X.X.X.81 LEN=40 TOS=0x14 PREC=0x00 TTL=112 
> ID=45054 PROTO=TCP SPT=80 DPT=6500 WINDOW=0 RES=0x00 ACK RST URGP=0

Hello,

I don't think it's scan of your subnet, a possible explication would be you
take the result of either : 

- a (D)DOS to someone on the net.
- a stealth scan to someone (likes XMAS,FIN or NULL scan) but to be effective (as we speak of TCP), 
this last possibility involves either the sender of the scan is seeing the packets you got or he's
on another network and uses something likes "idle scanning"... sound likes a little bit complicated.

Best regards.


More information about the list mailing list