|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Odd UPD scan
From: Bill Pennington (billp
ROCKETCASH.COM)Date: Fri Mar 17 2000 - 00:14:57 CST
- Next message: Peter Bates: "Re: what are these?"
- Previous message: Ville: "Generic checksums (MD5 DB)"
- In reply to: David Meissner: "Odd UPD scan"
- Next in thread: Graeme Fowler: "Re: Odd UPD scan"
- Next in thread: Grzegorz Janoszka: "Re: Odd UPD scan"
- Reply: Bill Pennington: "Re: Odd UPD scan"
- Reply: Graeme Fowler: "Re: Odd UPD scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have seen the same around the networks I watch lately. Since it didn't
seem like a scan I had seen before (most scans for Netbios have a high
source port) I hae just been ignoring them. I had also noticed that they
come in bunches then disappear so I chalked it up to something
misconfigured somewhere. I would be interested if anyone has other ideas
about this.
David Meissner wrote:
>
> For several weeks now I've noticed scans of UDP port 137, but the odd thing
> is that the source address is spoofed as a private IP address. I don't
> understand how this can be a probe, since they'll never see the replies. It
> also doesn't seem like a DOS attack since it's a somewhat slow scan and it
> doesn't go on for too long.
>
> Sample log:
>
> 00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
> 00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
> 00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50
> 00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
> 00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
> port 137 unreachable
> 00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
> 00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
> port 137 unreachable
> 00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50
> 00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp
> port 137 unreachable
> 00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
> 00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
> port 137 unreachable
> 00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
> 00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
> port 137 unreachable
> 00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50
> 00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp
> port 137 unreachable
>
> This activity goes on for about 40 minutes total to a number of other
> addresses, then a similar sequence repeats about 10 minutes later but only
> lasts a couple of minutes. About two hours later they repeat this again for
> a couple more minutes. I've seen the same activity from source addresses
> like 10.2.2.1. Maybe they're trying to guess our internal network numbers,
> but what would be the point?
>
> Can anyone suggest what might be going on?
>
> Thanks,
> David Meissner
> Punch Networks
--Bill Pennington Senior IT Manager Rocketcash billp
- Next message: Peter Bates: "Re: what are these?"
- Previous message: Ville: "Generic checksums (MD5 DB)"
- In reply to: David Meissner: "Odd UPD scan"
- Next in thread: Graeme Fowler: "Re: Odd UPD scan"
- Next in thread: Grzegorz Janoszka: "Re: Odd UPD scan"
- Reply: Bill Pennington: "Re: Odd UPD scan"
- Reply: Graeme Fowler: "Re: Odd UPD scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]