Security Incidents mailing list archives

Re: IDS Avoiding TRACEROUTE Network mapping

From: cjc () SCITEC COM (Crist J. Clark)
Date: Wed, 26 Apr 2000 10:34:44 -0400


On Tue, Apr 25, 2000 at 01:47:27PM -0400, Matthew F. Caldwell wrote:

One of my clients is receiving traceroutes of icmp and udp from the
company "www.quova.com" which is in thier own words "Quova is a
stealth-mode, Internet infrastructure company" From the following ip
address 64.41.164.55. Attempting to avoid IDS systems the scans look like

This:

Echo Request from 64.41.164.55 to x.190.51.1
Echo Request from 64.41.164.55 to x.191.51.1
Echo Request from 64.41.164.55 to x.192.51.1
Echo Request from 64.41.164.55 to x.194.51.1
Echo Request from 64.41.164.55 to x.193.51.1

Has anyone else seen these ?


On Apr 13 between 07:18:14 and 07:37:14 our firewall dropped 874
packets coming in at reasonable traceroute ports (33448-33466). All
were UDP packets. They were directed at 46 IP addresses (I can't see a
pattern in the addresses they tried). The source was 64.41.164.56.

--
Crist J. Clark                              cjc () scitec com
SciTec, Inc                             (609)921-3892 x252

Current thread:

IDS Avoiding TRACEROUTE Network mapping Matthew F. Caldwell (Apr 25)
- Re: IDS Avoiding TRACEROUTE Network mapping Crist J. Clark (Apr 26)