|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IDS Avoiding TRACEROUTE Network mapping
From: Crist J. Clark (cjc
SCITEC.COM)Date: Wed Apr 26 2000 - 09:34:44 CDT
- Next message: Stone: "Re: BIND 8.2.2.-P3, 0-day exploit"
- Previous message: Donald McLachlan: "Weird traceroutes"
- In reply to: Matthew F. Caldwell: "IDS Avoiding TRACEROUTE Network mapping"
- Reply: Crist J. Clark: "Re: IDS Avoiding TRACEROUTE Network mapping"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Apr 25, 2000 at 01:47:27PM -0400, Matthew F. Caldwell wrote:
> One of my clients is receiving traceroutes of icmp and udp from the
> company "www.quova.com" which is in thier own words "Quova is a
> stealth-mode, Internet infrastructure company" From the following ip
> address 64.41.164.55. Attempting to avoid IDS systems the scans look like
>
> This:
>
> Echo Request from 64.41.164.55 to x.190.51.1
> Echo Request from 64.41.164.55 to x.191.51.1
> Echo Request from 64.41.164.55 to x.192.51.1
> Echo Request from 64.41.164.55 to x.194.51.1
> Echo Request from 64.41.164.55 to x.193.51.1
>
> Has anyone else seen these ?
On Apr 13 between 07:18:14 and 07:37:14 our firewall dropped 874
packets coming in at reasonable traceroute ports (33448-33466). All
were UDP packets. They were directed at 46 IP addresses (I can't see a
pattern in the addresses they tried). The source was 64.41.164.56.
-- Crist J. Clark cjc
- Next message: Stone: "Re: BIND 8.2.2.-P3, 0-day exploit"
- Previous message: Donald McLachlan: "Weird traceroutes"
- In reply to: Matthew F. Caldwell: "IDS Avoiding TRACEROUTE Network mapping"
- Reply: Crist J. Clark: "Re: IDS Avoiding TRACEROUTE Network mapping"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]