Security Incidents mailing list archives

Re: Unusual scan pattern

From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Wed, 19 Jan 2000 14:57:34 -0800


On Wed, 19 Jan 2000, Russell Fulton wrote:

date      time        proto       source                     dest          packets           bytes          status
                                                                           to     fr      to       fr
09 Jan 00 11:05:43      tcp      133.74.6.1.23    <|      130.216.1.1.23    1      1       0         0        ER
09 Jan 00 11:05:43      tcp      133.74.6.1.23    <|      130.216.1.4.23    1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.25    <|      130.216.1.4.25    1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.25    <|      130.216.1.1.25    1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.143   <|      130.216.1.1.143   1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.143   <|      130.216.1.4.143   1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.110   <|      130.216.1.4.110   1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.110   <|      130.216.1.1.110   1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.80    <|      130.216.1.1.80    1      1       0         0        ER
09 Jan 00 11:05:44      tcp      133.74.6.1.80    <|      130.216.1.4.80    1      1       0         0        ER

The E flag on these means that argus thought that the incoming packets were
part of an established tcp stream for which it had not seen the handshake
packets.  Our hosts respond with a RST.  Note source and destination ports
are the same -- Is this some form of tcp 'ping' designed to go through
packet filters?

[...]

What interests me is the initial tcp data packets which look as if
they have been crafted to go through firewalls (at least simple packet
filter types) and the artifical source port numbers.


NMAP by default does TCP ACK pings to port 80.  This doesn't look like an
NMAP signature, but might be a similar kind of tactic.  I'd think that
they would get a better ability to go through firewalls if they did ACK
scans from a low numbered port like 80 to a high numbered port.  That
would probably get through packet filters which didn't keep any state and
just relied on the ACK bit being set to determine if it was part of an
ongoing TCP connection.

Current thread:

Unusual scan pattern Russell Fulton (Jan 18)
- ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Michael Vaughan (Jan 19)
  - Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Cy Schubert - ITSD Open Systems Group (Jan 21)
  - Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Ex Machina [xm] (Jan 21)
  - Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File CyberPsychotic (Jan 21)
    - Re: ANOTHER DNS MAC ADDRESS Change w/h Unix Log File Dug Song (Jan 22)
- Re: Unusual scan pattern Granquist, Lamont (Jan 19)
- Slow scan Mixmaster (Jan 19)
- Re: Unusual scan pattern Richard Bejtlich (Jan 20)
- Re: Unusual scan pattern Kevin Houle (Jan 20)
  - Re: Unusual scan pattern Russell Fulton (Jan 23)
  - semi careful, very patient attacker Jon Paul, Nollmann (Jan 24)
- <Possible follow-ups>
- Re: Unusual scan pattern Oliver Friedrichs (Jan 19)
  - Unknown Port Numbers Edwin Covert (Jan 21)