Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Simultaneous Attacks

From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Fri, 7 Jul 2000 17:31:45 -0400

On Fri, 07 Jul 2000 00:27:04 EDT, "Harlan S. Barney, Jr." <hsbarney () NYCAP RR COM>  said:

59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 64.232.4.242, ,
24.161.11.47, , port=12345&name=NetBus, 6, A
59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 23.23.23.23, ,
24.161.11.47, , port=12345&name=NetBus, 6, A
59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 24.24.24.24,
tmp1-3218.twcny.rr.com, 24.161.11.47, , port=12345&name=NetBus, 6, A


The 23. and 24. probes are almost certainly decoys.  This may be an 'nmap'
scan trying to determine your IP sequence number algorithm - using bogus
packets to increment the initial sequence number.  You may wish to verify
whether your software is configured to  report on probes to other ports
as well - it could be you're only reporting on "interesting" ports (like
snmp, netbus, yadda yadda yadda) and you missed the other connections.

Of course, I may be totally full of it too - it *is* 5:30PM on Friday and time
for the weekend. ;)

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: