Security Incidents mailing list archives
Re: IDS Avoiding TRACEROUTE Network mapping
From: cjc () SCITEC COM (Crist J. Clark)
Date: Wed, 26 Apr 2000 10:34:44 -0400
On Tue, Apr 25, 2000 at 01:47:27PM -0400, Matthew F. Caldwell wrote:
One of my clients is receiving traceroutes of icmp and udp from the company "www.quova.com" which is in thier own words "Quova is a stealth-mode, Internet infrastructure company" From the following ip address 64.41.164.55. Attempting to avoid IDS systems the scans look like This: Echo Request from 64.41.164.55 to x.190.51.1 Echo Request from 64.41.164.55 to x.191.51.1 Echo Request from 64.41.164.55 to x.192.51.1 Echo Request from 64.41.164.55 to x.194.51.1 Echo Request from 64.41.164.55 to x.193.51.1 Has anyone else seen these ?
On Apr 13 between 07:18:14 and 07:37:14 our firewall dropped 874 packets coming in at reasonable traceroute ports (33448-33466). All were UDP packets. They were directed at 46 IP addresses (I can't see a pattern in the addresses they tried). The source was 64.41.164.56. -- Crist J. Clark cjc () scitec com SciTec, Inc (609)921-3892 x252
Current thread:
- IDS Avoiding TRACEROUTE Network mapping Matthew F. Caldwell (Apr 25)
- Re: IDS Avoiding TRACEROUTE Network mapping Crist J. Clark (Apr 26)