Re: a very strange scan

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Wed, 9 Feb 2000 16:26:11 -0000 Boris Badenov
<sluskyb () FORCE STWING UPENN EDU> wrote:

> I was scanned yesterday by 208.225.90.120 (which is
> somewhere in the depths of UUnet) on the following ports:
>
> 46424
> 17699
> 54510
> 53021
> 2168
> 38979
> 45576
> 16851
> 44087
> 15362
> 21752
> 20263
> 57074
> 28349
> 65160
> 26860
> 43032
> 4732
> 41543
> 11329
> 48140
>
> All these ports are unassigned, and none of them are on any
> of the trojan lists I've found.
>
> Can anyone make sense of this?

What flags were set on these packets?

Here is one possoble senario:

I see packets coming in with FIN or sometimes RST from addresses owned
by e-commerce sites.  (Amazon is bad at the moment)  what appears to be
happening is this:

The sites use some form of load balancing software so behind, say,
www.amozon.com are 3 (at least ) real web servers that do the work.
These machine often don't have PTR records in the dns. The problem is
that the load balancing software isn't perfect and often gets confused
when sessions have finished or been dropped.  When this happens the real
server that was handling the transaction times out and then sends out a
FIN or an RST to the client.  This will appear to a FW or NID as a new
session and get logged as such.

I run argus which records *all* tcp session and I have been able to
match the session originated at our site and which appeared to
terminate normally with the incoming FIN packet several seconds later.

If you have a client doing lots of sessions to such a site you will see
what appears to be a scan coming back.  If the client is on an OS which
allocates source port numbers serially the scan will appear to be a
serial scan of the high numbered ports.  If the OS allocates ports
randomly then you would see something like you describe.

Arin says this address is allocated to UUNet's web business unit.

Russell.