|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Lampe, John W. (JWLAMPE
GAPAC.COM)Date: Mon Mar 19 2001 - 10:38:04 CST
Hi Gary,
Do you see ttl values=1 in the IP headers to imply that this is a
traceroute-like scan? The fact that the dest ports are incrementing looks
more like a port scan than a traceroute.
John Lampe
-----Original Message-----
From: Portnoy, Gary [mailto:gportnoyBELENOSINC.COM]
Sent: Monday, March 19, 2001 10:43 AM
To: INCIDENTSSECURITYFOCUS.COM
Subject: UDP Traceroutes?
Hello,
In the last few days i've noticed a few interesting anomailes which look
like they could be a particular breed of traceroute, but I didn't want to
just discount them as that. Traceroute's default destination is port UDP
33434 increasing by one with every packet sent. I've been seeing various
sources tracerouting to me with destination ports below 111 and always
terminating at 111. They usually reach me with dest port somewhere in the
90's and always increase till 111 (UDP). The sources are 128.9.160.210,
141.213.10.128, 192.88.114.82, 193.10.66.138. See below:
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]