|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: tcp ping scan to broadcast addresses
From: Russell Fulton (r.fulton
AUCKLAND.AC.NZ)Date: Sun Jun 11 2000 - 18:03:36 CDT
- Next message: Lance Spitzner: "Account probing for spam relay."
- Previous message: Luke Dudney: "Re: update on scans of tcp 12345 AUSCERT#36349"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings All,
Came across something different during the weekend. What
appears to be a standard nmap tcp scan (dst port 80, packets have ACK
flag set) but directed to the /24 broadcast addresses (0 and 255) in
our /16 net.
Here is the argus logs. E indicates that this packet belongs to an
established session i.e. it had ACK set. (130.216.0.0/16 is our net).
First two counts are to and from packets next two counts are bytes.
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.2.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.3.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.4.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.6.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.7.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.8.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.9.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.11.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.12.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.13.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.14.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.15.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 <| 130.216.16.255.80 1 10 0 0 ER
Hmmmm.... 10 resets sent from subnet 16
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 <| 130.216.17.255.80 1 2 0 0 ER
11 Jun 00 23:21:29 tcp 255.255.255.255.80 ?> 142.176.129.229.38325 626 0 0 0 FR
Ouch! 625 RST packets from 255.255.255.255 -- will be blocked at our gateway.
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.20.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 142.176.129.229.38325 ?> 130.216.21.255.80 1 0 0 0 E
11 Jun 00 23:21:29 tcp 130.216.55.122.80 ?> 142.176.129.229.38325 22 0 0 0 FR
11 Jun 00 23:21:29 tcp 130.216.22.146.80 ?> 142.176.129.229.38325 21 0 0 0 FR
11 Jun 00 23:21:29 tcp 130.216.12.91.80 ?> 142.176.129.229.38325 17 0 0 0 FR
Now we are getting individual machines responding with lots of RSTs.
Some machines responded with ICMP timeouts and routers with various
Unreachable messages.
The scan went right through all /24s and then 20 minutes later started
over again on address 0. We block icmp and udp to broadcast addresses
looks like we should also do so for tcp.
This looks like another potential traffic ampliphier although not as
effective as ICMP ECHO or udp 137.
Cheers, Russell.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.
- Next message: Lance Spitzner: "Account probing for spam relay."
- Previous message: Luke Dudney: "Re: update on scans of tcp 12345 AUSCERT#36349"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]