[unisog] Odd apparant port scan ...

H. Morrow Long morrow.long at yale.edu
Thu Apr 4 14:26:55 GMT 2002


Peter - Might this be an example of what Steve Gibson (and I'll agree in 
	advance that one does have to liberally take quite a bit of salt
	and anti-hype medicine to wash Steve Gibson down with sometimes)
	calls the "Next Generation DoS", also "Distributed Reflection
	Denial of Service" (DRDoS) attack:

		http://grc.com/dos/drdos.htm

	The idea is a low-impact, flying under the rader --err, um. IDS--
	broad spread of SYN packets to a large number of servers (e.g.
	routers running BGP or web servers on port 80) such that the
	'SYN/ACK' packets back were all directed and concentrated on a
	hapless victim.

	This would not appear to set with one element in what you are
	seeing if the packets you are seeing are really mimicking an
	already open TCP connection.  However, if you were seeing SYN
	packets (a very low level Synflood to many of your IP addresses)
	or were seeing a concentrated flood of SYN/ACK packets to one or
	more of your IP addresses (from a lot of foreign IP addresses --
	which it sounds like you are not) that could be the DRDoS GRC.COM
	describes.

- H. Morrow Long
  University Information Security Officer
  Yale University, ITS, Dir. InfoSec Office

Peter Van Epp wrote:
> 
>         Just a heads up on an odd apparant port scan that argus detected.
> Starting back on Mar 28 or so two hosts 199.245.173.165 and 202.102.9.95
> (one doesn't resolve the other is a plausable IRC server) looked to be having
> a large number of hosts on campus make unsuccessful connections to port 6667
> on the remote host. My first thought was massive breakin attempting to use IRC
> as the control channel, but since some of the "hosts" making these connections
> don't exist that seemed a little strange. A look with the sniffer indicates
> these remote machines are mimicing already open TCP connection to the hosts in
> question, either as a DOS (but not enough volume) or as I now think, as a port
> scan, looking for RST packets to map an active host. This of course may not be
> news (it may have been going on for a long time, argus would normally ignore
> them because of the lack of success, I happened to be looking for something
> else in the unfiltered log when I noticed it) but in case its a new tactic,
> here it is :-)
> 
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4243 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020404/03f30e90/smime-0006.bin


More information about the unisog mailing list