Odd apparant port scan ...

Peter Van Epp vanepp at sfu.ca
Wed Apr 3 19:20:35 GMT 2002

	Just a heads up on an odd apparant port scan that argus detected.
Starting back on Mar 28 or so two hosts and
(one doesn't resolve the other is a plausable IRC server) looked to be having
a large number of hosts on campus make unsuccessful connections to port 6667
on the remote host. My first thought was massive breakin attempting to use IRC
as the control channel, but since some of the "hosts" making these connections 
don't exist that seemed a little strange. A look with the sniffer indicates 
these remote machines are mimicing already open TCP connection to the hosts in 
question, either as a DOS (but not enough volume) or as I now think, as a port 
scan, looking for RST packets to map an active host. This of course may not be 
news (it may have been going on for a long time, argus would normally ignore 
them because of the lack of success, I happened to be looking for something 
else in the unfiltered log when I noticed it) but in case its a new tactic, 
here it is :-)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list