[unisog] Distributed port 445 scan or spoof?

Russell Fulton r.fulton at auckland.ac.nz
Sat Feb 15 09:25:24 GMT 2003


On Fri, 2003-02-14 at 15:44, Pat Wilson wrote:
> 
> Hmm.  We're seeing incidents of intense port 445 scanning, either from a
> fairly well-coordinated distributed net or from something spoofing one -
> lots of ISP IP addresses, for short bursts of activity.
> 
> Has anyone else seen this recently?  We normally see 445 scans, but not
> from so many different directions at once...  If it _is_ an address
> spoofer, any idea how to track it down?
> 

I've seen several of these over the last few months, the largest was by
200 systems which scanned our /15 in about 5 minutes.  There was some
overlap between the scans and there were a few holes but they got pretty
good coverage without to much wastage.  All the recent coordinated scans
I have seen recently have been for 445.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list