Security Incidents mailing list archives
Coordinated or Spoofed Scans
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Mon, 11 Dec 2000 17:38:00 -0800
I was doing scan extraction on my firewall logs from last week. Grouping by source host I happened to notice some correlation between "scans." Take a look at the destination ports and the times, 4Dec2000 9:01:30 drop >hme0 tcp 24.160.24.185:1692 -> AAA.BBB.CCC.142:12719 48 5Dec2000 6:29:16 drop >hme0 tcp 24.160.24.185:3061 -> AAA.BBB.CCC.142:14093 48 6Dec2000 8:53:09 drop >hme0 tcp 24.160.24.185:4757 -> AAA.BBB.CCC.142:12711 48 7Dec2000 6:34:06 drop >hme0 tcp 24.160.24.185:3210 -> AAA.BBB.CCC.142:27612 48 7Dec2000 18:21:11 drop >hme0 tcp 24.160.24.185:1287 -> AAA.BBB.CCC.142:21121 48 8Dec2000 11:35:50 drop >hme0 tcp 24.160.24.185:4387 -> AAA.BBB.CCC.142:10614 48 9Dec2000 7:03:08 drop >hme0 tcp 24.160.24.185:1893 -> AAA.BBB.CCC.142:21041 48 10Dec2000 7:09:32 drop >hme0 tcp 24.160.24.185:3595 -> AAA.BBB.CCC.142:5344 48 10Dec2000 9:01:48 drop >hme0 tcp 24.160.24.185:4634 -> AAA.BBB.CCC.142:31668 48 10Dec2000 9:02:46 drop >hme0 tcp 24.160.24.185:4653 -> AAA.BBB.CCC.142:12796 48 10Dec2000 9:17:31 drop >hme0 tcp 24.160.24.185:4809 -> AAA.BBB.CCC.142:17066 48 4Dec2000 13:11:59 drop >hme0 tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:12719 64 5Dec2000 11:22:22 drop >hme0 tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:14093 64 6Dec2000 13:32:30 drop >hme0 tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:12711 64 7Dec2000 14:30:42 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:27612 64 7Dec2000 18:21:11 drop >hme0 tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:21121 64 8Dec2000 13:06:04 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:10614 64 9Dec2000 13:46:48 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:21041 64 10Dec2000 14:17:02 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:5344 64 4Dec2000 9:01:31 drop >hme0 tcp 24.41.38.233:2251 -> AAA.BBB.CCC.142:12719 48 5Dec2000 12:49:10 drop >hme0 tcp 24.41.38.233:2262 -> AAA.BBB.CCC.142:14093 48 6Dec2000 6:17:26 drop >hme0 tcp 24.41.38.233:3629 -> AAA.BBB.CCC.142:12711 48 7Dec2000 6:34:06 drop >hme0 tcp 24.41.38.233:2143 -> AAA.BBB.CCC.142:27612 48 7Dec2000 18:21:10 drop >hme0 tcp 24.41.38.233:3820 -> AAA.BBB.CCC.142:21121 48 8Dec2000 6:21:01 drop >hme0 tcp 24.41.38.233:2005 -> AAA.BBB.CCC.142:10614 48 9Dec2000 7:03:08 drop >hme0 tcp 24.41.38.233:1427 -> AAA.BBB.CCC.142:21041 48 10Dec2000 7:09:33 drop >hme0 tcp 24.41.38.233:1424 -> AAA.BBB.CCC.142:5344 48 4Dec2000 14:37:40 drop >hme0 tcp 63.248.20.224:61795 -> AAA.BBB.CCC.142:12719 48 5Dec2000 6:29:16 drop >hme0 tcp 63.248.20.224:63970 -> AAA.BBB.CCC.142:14093 48 6Dec2000 9:09:01 drop >hme0 tcp 63.248.20.224:61258 -> AAA.BBB.CCC.142:12711 48 7Dec2000 6:34:06 drop >hme0 tcp 63.248.20.224:62109 -> AAA.BBB.CCC.142:27612 48 7Dec2000 18:21:10 drop >hme0 tcp 63.248.20.224:62840 -> AAA.BBB.CCC.142:21121 48 8Dec2000 6:21:01 drop >hme0 tcp 63.248.20.224:62932 -> AAA.BBB.CCC.142:10614 48 9Dec2000 7:03:11 drop >hme0 tcp 63.248.20.224:63896 -> AAA.BBB.CCC.142:21041 48 10Dec2000 10:09:32 drop >hme0 tcp 63.248.20.224:65013 -> AAA.BBB.CCC.142:5344 48 Needless to say, this creeped me out. The destination ports have no meaning that I am aware of. The source ports are perplexing too. 24.160.24.185 source ports look like what you would expect for a moderately used machine. 24.167.134.17 seems to like the 1050's a bit much. 24.41.38.233 and 63.248.20.224 have reasonable increments for your typical IP stack, but 63.248.20.224 seems to be the only one that likes _really_ high ports. Note the packet sizes are different. That does not sound like a packet crafting tool. It also makes me wonder if they really are from different hosts and not all spoofed from one. Obviously, the 24/8 are coax cable and I associate 63/8 with DSL (and that seems to agree with the reverse-lookup). Doing some sneaky things I believe that they are not all the same OS, but if the ISP is using DHCP, anything I gather now might be useless. Have a look at what it looks like if I sort them all by time, 4Dec2000 9:01:30 drop >hme0 tcp 24.160.24.185:1692 -> AAA.BBB.CCC.142:12719 48 4Dec2000 9:01:31 drop >hme0 tcp 24.41.38.233:2251 -> AAA.BBB.CCC.142:12719 48 4Dec2000 13:11:59 drop >hme0 tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:12719 64 4Dec2000 14:37:40 drop >hme0 tcp 63.248.20.224:61795 -> AAA.BBB.CCC.142:12719 48 5Dec2000 6:29:16 drop >hme0 tcp 24.160.24.185:3061 -> AAA.BBB.CCC.142:14093 48 5Dec2000 6:29:16 drop >hme0 tcp 63.248.20.224:63970 -> AAA.BBB.CCC.142:14093 48 5Dec2000 11:22:22 drop >hme0 tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:14093 64 5Dec2000 12:49:10 drop >hme0 tcp 24.41.38.233:2262 -> AAA.BBB.CCC.142:14093 48 6Dec2000 6:17:26 drop >hme0 tcp 24.41.38.233:3629 -> AAA.BBB.CCC.142:12711 48 6Dec2000 8:53:09 drop >hme0 tcp 24.160.24.185:4757 -> AAA.BBB.CCC.142:12711 48 6Dec2000 9:09:01 drop >hme0 tcp 63.248.20.224:61258 -> AAA.BBB.CCC.142:12711 48 6Dec2000 13:32:30 drop >hme0 tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:12711 64 7Dec2000 6:34:06 drop >hme0 tcp 24.160.24.185:3210 -> AAA.BBB.CCC.142:27612 48 7Dec2000 6:34:06 drop >hme0 tcp 24.41.38.233:2143 -> AAA.BBB.CCC.142:27612 48 7Dec2000 6:34:06 drop >hme0 tcp 63.248.20.224:62109 -> AAA.BBB.CCC.142:27612 48 7Dec2000 14:30:42 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:27612 64 7Dec2000 18:21:10 drop >hme0 tcp 24.41.38.233:3820 -> AAA.BBB.CCC.142:21121 48 7Dec2000 18:21:10 drop >hme0 tcp 63.248.20.224:62840 -> AAA.BBB.CCC.142:21121 48 7Dec2000 18:21:11 drop >hme0 tcp 24.160.24.185:1287 -> AAA.BBB.CCC.142:21121 48 7Dec2000 18:21:11 drop >hme0 tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:21121 64 8Dec2000 6:21:01 drop >hme0 tcp 24.41.38.233:2005 -> AAA.BBB.CCC.142:10614 48 8Dec2000 6:21:01 drop >hme0 tcp 63.248.20.224:62932 -> AAA.BBB.CCC.142:10614 48 8Dec2000 11:35:50 drop >hme0 tcp 24.160.24.185:4387 -> AAA.BBB.CCC.142:10614 48 8Dec2000 13:06:04 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:10614 64 9Dec2000 7:03:08 drop >hme0 tcp 24.160.24.185:1893 -> AAA.BBB.CCC.142:21041 48 9Dec2000 7:03:08 drop >hme0 tcp 24.41.38.233:1427 -> AAA.BBB.CCC.142:21041 48 9Dec2000 7:03:11 drop >hme0 tcp 63.248.20.224:63896 -> AAA.BBB.CCC.142:21041 48 9Dec2000 13:46:48 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:21041 64 10Dec2000 7:09:32 drop >hme0 tcp 24.160.24.185:3595 -> AAA.BBB.CCC.142:5344 48 10Dec2000 7:09:33 drop >hme0 tcp 24.41.38.233:1424 -> AAA.BBB.CCC.142:5344 48 10Dec2000 9:01:48 drop >hme0 tcp 24.160.24.185:4634 -> AAA.BBB.CCC.142:31668 48 10Dec2000 9:02:46 drop >hme0 tcp 24.160.24.185:4653 -> AAA.BBB.CCC.142:12796 48 10Dec2000 9:17:31 drop >hme0 tcp 24.160.24.185:4809 -> AAA.BBB.CCC.142:17066 48 10Dec2000 10:09:32 drop >hme0 tcp 63.248.20.224:65013 -> AAA.BBB.CCC.142:5344 48 10Dec2000 14:17:02 drop >hme0 tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:5344 64 Even creepier when you see the destination ports line up like that. Some times they all came back in a few seconds, some times it takes hours. I am trying to correlate this as a response to some outgoing connection from our network, but no luck so far. I have some guesses, but they are far too speculative for sharing. Does anyone recognize this signature? -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Coordinated or Spoofed Scans Crist Clark (Dec 13)