Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Coordinated or Spoofed Scans

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Mon, 11 Dec 2000 17:38:00 -0800
I was doing scan extraction on my firewall logs from last week. Grouping
by source host I happened to notice some correlation between "scans." Take
a look at the destination ports and the times,

   4Dec2000  9:01:30   drop >hme0  tcp 24.160.24.185:1692 -> AAA.BBB.CCC.142:12719 48
   5Dec2000  6:29:16   drop >hme0  tcp 24.160.24.185:3061 -> AAA.BBB.CCC.142:14093 48
   6Dec2000  8:53:09   drop >hme0  tcp 24.160.24.185:4757 -> AAA.BBB.CCC.142:12711 48
   7Dec2000  6:34:06   drop >hme0  tcp 24.160.24.185:3210 -> AAA.BBB.CCC.142:27612 48
   7Dec2000 18:21:11   drop >hme0  tcp 24.160.24.185:1287 -> AAA.BBB.CCC.142:21121 48
   8Dec2000 11:35:50   drop >hme0  tcp 24.160.24.185:4387 -> AAA.BBB.CCC.142:10614 48
   9Dec2000  7:03:08   drop >hme0  tcp 24.160.24.185:1893 -> AAA.BBB.CCC.142:21041 48
  10Dec2000  7:09:32   drop >hme0  tcp 24.160.24.185:3595 -> AAA.BBB.CCC.142:5344 48
  10Dec2000  9:01:48   drop >hme0  tcp 24.160.24.185:4634 -> AAA.BBB.CCC.142:31668 48
  10Dec2000  9:02:46   drop >hme0  tcp 24.160.24.185:4653 -> AAA.BBB.CCC.142:12796 48
  10Dec2000  9:17:31   drop >hme0  tcp 24.160.24.185:4809 -> AAA.BBB.CCC.142:17066 48

   4Dec2000 13:11:59   drop >hme0  tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:12719 64
   5Dec2000 11:22:22   drop >hme0  tcp 24.167.134.17:1051 -> AAA.BBB.CCC.142:14093 64
   6Dec2000 13:32:30   drop >hme0  tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:12711 64
   7Dec2000 14:30:42   drop >hme0  tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:27612 64
   7Dec2000 18:21:11   drop >hme0  tcp 24.167.134.17:1059 -> AAA.BBB.CCC.142:21121 64
   8Dec2000 13:06:04   drop >hme0  tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:10614 64
   9Dec2000 13:46:48   drop >hme0  tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:21041 64
  10Dec2000 14:17:02   drop >hme0  tcp 24.167.134.17:1050 -> AAA.BBB.CCC.142:5344 64

   4Dec2000  9:01:31   drop >hme0  tcp 24.41.38.233:2251 -> AAA.BBB.CCC.142:12719 48
   5Dec2000 12:49:10   drop >hme0  tcp 24.41.38.233:2262 -> AAA.BBB.CCC.142:14093 48
   6Dec2000  6:17:26   drop >hme0  tcp 24.41.38.233:3629 -> AAA.BBB.CCC.142:12711 48
   7Dec2000  6:34:06   drop >hme0  tcp 24.41.38.233:2143 -> AAA.BBB.CCC.142:27612 48
   7Dec2000 18:21:10   drop >hme0  tcp 24.41.38.233:3820 -> AAA.BBB.CCC.142:21121 48
   8Dec2000  6:21:01   drop >hme0  tcp 24.41.38.233:2005 -> AAA.BBB.CCC.142:10614 48
   9Dec2000  7:03:08   drop >hme0  tcp 24.41.38.233:1427 -> AAA.BBB.CCC.142:21041 48
  10Dec2000  7:09:33   drop >hme0  tcp 24.41.38.233:1424 -> AAA.BBB.CCC.142:5344 48

   4Dec2000 14:37:40   drop >hme0  tcp 63.248.20.224:61795 -> AAA.BBB.CCC.142:12719 48
   5Dec2000  6:29:16   drop >hme0  tcp 63.248.20.224:63970 -> AAA.BBB.CCC.142:14093 48
   6Dec2000  9:09:01   drop >hme0  tcp 63.248.20.224:61258 -> AAA.BBB.CCC.142:12711 48
   7Dec2000  6:34:06   drop >hme0  tcp 63.248.20.224:62109 -> AAA.BBB.CCC.142:27612 48
   7Dec2000 18:21:10   drop >hme0  tcp 63.248.20.224:62840 -> AAA.BBB.CCC.142:21121 48
   8Dec2000  6:21:01   drop >hme0  tcp 63.248.20.224:62932 -> AAA.BBB.CCC.142:10614 48
   9Dec2000  7:03:11   drop >hme0  tcp 63.248.20.224:63896 -> AAA.BBB.CCC.142:21041 48
  10Dec2000 10:09:32   drop >hme0  tcp 63.248.20.224:65013 -> AAA.BBB.CCC.142:5344 48

Needless to say, this creeped me out. The destination ports have no meaning
that I am aware of. The source ports are perplexing too. 24.160.24.185 source
ports look like what you would expect for a moderately used machine.
24.167.134.17 seems to like the 1050's a bit much. 24.41.38.233 and
63.248.20.224 have reasonable increments for your typical IP stack, but
63.248.20.224 seems to be the only one that likes _really_ high ports. Note
the packet sizes are different. That does not sound like a packet crafting
tool. It also makes me wonder if they really are from different hosts and
not all spoofed from one.

Obviously, the 24/8 are coax cable and I associate 63/8 with DSL (and that
seems to agree with the reverse-lookup). Doing some sneaky things I believe
that they are not all the same OS, but if the ISP is using DHCP, anything
I gather now might be useless.

Have a look at what it looks like if I sort them all by time,

   4Dec2000  9:01:30   drop >hme0  tcp 24.160.24.185:1692  -> AAA.BBB.CCC.142:12719 48
   4Dec2000  9:01:31   drop >hme0  tcp 24.41.38.233:2251   -> AAA.BBB.CCC.142:12719 48
   4Dec2000 13:11:59   drop >hme0  tcp 24.167.134.17:1051  -> AAA.BBB.CCC.142:12719 64
   4Dec2000 14:37:40   drop >hme0  tcp 63.248.20.224:61795 -> AAA.BBB.CCC.142:12719 48
   5Dec2000  6:29:16   drop >hme0  tcp 24.160.24.185:3061  -> AAA.BBB.CCC.142:14093 48
   5Dec2000  6:29:16   drop >hme0  tcp 63.248.20.224:63970 -> AAA.BBB.CCC.142:14093 48
   5Dec2000 11:22:22   drop >hme0  tcp 24.167.134.17:1051  -> AAA.BBB.CCC.142:14093 64
   5Dec2000 12:49:10   drop >hme0  tcp 24.41.38.233:2262   -> AAA.BBB.CCC.142:14093 48
   6Dec2000  6:17:26   drop >hme0  tcp 24.41.38.233:3629   -> AAA.BBB.CCC.142:12711 48
   6Dec2000  8:53:09   drop >hme0  tcp 24.160.24.185:4757  -> AAA.BBB.CCC.142:12711 48
   6Dec2000  9:09:01   drop >hme0  tcp 63.248.20.224:61258 -> AAA.BBB.CCC.142:12711 48
   6Dec2000 13:32:30   drop >hme0  tcp 24.167.134.17:1059  -> AAA.BBB.CCC.142:12711 64
   7Dec2000  6:34:06   drop >hme0  tcp 24.160.24.185:3210  -> AAA.BBB.CCC.142:27612 48
   7Dec2000  6:34:06   drop >hme0  tcp 24.41.38.233:2143   -> AAA.BBB.CCC.142:27612 48
   7Dec2000  6:34:06   drop >hme0  tcp 63.248.20.224:62109 -> AAA.BBB.CCC.142:27612 48
   7Dec2000 14:30:42   drop >hme0  tcp 24.167.134.17:1050  -> AAA.BBB.CCC.142:27612 64
   7Dec2000 18:21:10   drop >hme0  tcp 24.41.38.233:3820   -> AAA.BBB.CCC.142:21121 48
   7Dec2000 18:21:10   drop >hme0  tcp 63.248.20.224:62840 -> AAA.BBB.CCC.142:21121 48
   7Dec2000 18:21:11   drop >hme0  tcp 24.160.24.185:1287  -> AAA.BBB.CCC.142:21121 48
   7Dec2000 18:21:11   drop >hme0  tcp 24.167.134.17:1059  -> AAA.BBB.CCC.142:21121 64
   8Dec2000  6:21:01   drop >hme0  tcp 24.41.38.233:2005   -> AAA.BBB.CCC.142:10614 48
   8Dec2000  6:21:01   drop >hme0  tcp 63.248.20.224:62932 -> AAA.BBB.CCC.142:10614 48
   8Dec2000 11:35:50   drop >hme0  tcp 24.160.24.185:4387  -> AAA.BBB.CCC.142:10614 48
   8Dec2000 13:06:04   drop >hme0  tcp 24.167.134.17:1050  -> AAA.BBB.CCC.142:10614 64
   9Dec2000  7:03:08   drop >hme0  tcp 24.160.24.185:1893  -> AAA.BBB.CCC.142:21041 48
   9Dec2000  7:03:08   drop >hme0  tcp 24.41.38.233:1427   -> AAA.BBB.CCC.142:21041 48
   9Dec2000  7:03:11   drop >hme0  tcp 63.248.20.224:63896 -> AAA.BBB.CCC.142:21041 48
   9Dec2000 13:46:48   drop >hme0  tcp 24.167.134.17:1050  -> AAA.BBB.CCC.142:21041 64
  10Dec2000  7:09:32   drop >hme0  tcp 24.160.24.185:3595  -> AAA.BBB.CCC.142:5344 48
  10Dec2000  7:09:33   drop >hme0  tcp 24.41.38.233:1424   -> AAA.BBB.CCC.142:5344 48
  10Dec2000  9:01:48   drop >hme0  tcp 24.160.24.185:4634  -> AAA.BBB.CCC.142:31668 48
  10Dec2000  9:02:46   drop >hme0  tcp 24.160.24.185:4653  -> AAA.BBB.CCC.142:12796 48
  10Dec2000  9:17:31   drop >hme0  tcp 24.160.24.185:4809  -> AAA.BBB.CCC.142:17066 48
  10Dec2000 10:09:32   drop >hme0  tcp 63.248.20.224:65013 -> AAA.BBB.CCC.142:5344 48
  10Dec2000 14:17:02   drop >hme0  tcp 24.167.134.17:1050  -> AAA.BBB.CCC.142:5344 64

Even creepier when you see the destination ports line up like that. Some
times they all came back in a few seconds, some times it takes hours.

I am trying to correlate this as a response to some outgoing connection
from our network, but no luck so far. I have some guesses, but they are
far too speculative for sharing. Does anyone recognize this signature?
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
Previous By Date Next
Previous By Thread Next

Current thread: