[unisog] Distributed port 445 scan or spoof?
r.fulton at auckland.ac.nz
Sat Feb 15 09:25:24 GMT 2003
On Fri, 2003-02-14 at 15:44, Pat Wilson wrote:
> Hmm. We're seeing incidents of intense port 445 scanning, either from a
> fairly well-coordinated distributed net or from something spoofing one -
> lots of ISP IP addresses, for short bursts of activity.
> Has anyone else seen this recently? We normally see 445 scans, but not
> from so many different directions at once... If it _is_ an address
> spoofer, any idea how to track it down?
I've seen several of these over the last few months, the largest was by
200 systems which scanned our /15 in about 5 minutes. There was some
overlap between the scans and there were a few holes but they got pretty
good coverage without to much wastage. All the recent coordinated scans
I have seen recently have been for 445.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the unisog