Security Incidents mailing list archives
Re: Odd UPD scan
From: rmclean () NATDOOR COM (Randy Mclean)
Date: Fri, 17 Mar 2000 08:51:02 -0600
Are you sure that they are really spoofed or could it be someone upstream from you using that ip and your routers just happen to pass the traffic. I know there is a new Worm out that scans for open Microsnot(not a misspelling) shares. Its really has picked up in activity in the 3 weeks or so. Whats worse, last I checked most(not all) virus scanners didn't detect this one. For more info on this worm please refer to http://www.cert.org/incident_notes/IN-2000-02.htm. If I where you do a traceroure/ping and see of there actually is a computer running that RFC1918 address. Who knows I could be wrong, but its an idea anyway. At 11:25 AM 3/15/00 -0800, you wrote:
For several weeks now I've noticed scans of UDP port 137, but the odd thing is that the source address is spoofed as a private IP address. I don't understand how this can be a probe, since they'll never see the replies. It also doesn't seem like a DOS attack since it's a somewhat slow scan and it doesn't go on for too long. Sample log: 00:06:26.478367 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:27.951993 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:29.460189 192.168.0.1.137 > aaa.bbb.ccc.eee.137: udp 50 00:06:32.475204 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:32.475338 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:33.979872 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:33.980001 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:35.480653 192.168.0.1.137 > aaa.bbb.ccc.fff.137: udp 50 00:06:35.480773 aaa.bbb.ccc.fff > 192.168.0.1: icmp: aaa.bbb.ccc.fff udp port 137 unreachable 00:06:38.491738 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:38.491874 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:39.986622 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:39.986745 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable 00:06:41.497638 192.168.0.1.137 > aaa.bbb.ccc.ggg.137: udp 50 00:06:41.497771 aaa.bbb.ccc.ggg > 192.168.0.1: icmp: aaa.bbb.ccc.ggg udp port 137 unreachable This activity goes on for about 40 minutes total to a number of other addresses, then a similar sequence repeats about 10 minutes later but only lasts a couple of minutes. About two hours later they repeat this again for a couple more minutes. I've seen the same activity from source addresses like 10.2.2.1. Maybe they're trying to guess our internal network numbers, but what would be the point? Can anyone suggest what might be going on? Thanks, David Meissner Punch Networks
-- Randy Mclean Security/Network Administrator rmclean () natdoor com
Current thread:
- Odd UPD scan David Meissner (Mar 15)
- Re: Odd UPD scan Bill Pennington (Mar 16)
- Re: Odd UPD scan Graeme Fowler (Mar 20)
- Re: Odd UPD scan Grzegorz Janoszka (Mar 17)
- <Possible follow-ups>
- Re: Odd UPD scan Randy Mclean (Mar 17)
- Re: Odd UPD scan Rainer Weikusat (Mar 17)
- Re: Odd UPD scan Bill Pennington (Mar 20)
- Re: Odd UPD scan Pavel Kankovsky (Mar 21)
- NetBIOS info Robert Graham (Mar 21)
- Re: NetBIOS info Bill Pennington (Mar 22)
- Strange probe Stuart Staniford-Chen (Mar 24)
- Re: NetBIOS info Robert Graham (Mar 27)
- Syn scans to 4045 Joey McAlerney (Mar 27)
- Re: Odd UPD scan Bill Pennington (Mar 16)