Security Incidents mailing list archives
Re: Port 109 Scans
From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Tue, 9 May 2000 19:59:32 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ed Padin writes:
I've seen many of the scans have a source port of 0. Has anyone else seen the same?
Yes. I've been seeing a number of scans with the following characteristics: -Fixed ports. Source port is always 0, destination port is always 109 -Sequential. Scan advances sequentially across a 24 bit network[0] -Slow. On a single 24 bit subnet, several minutes pass between packets -Interleaved. Multiple networks are being scanned simultaneously by individual hosts -Redundant. Several source addresses exhibiting similar behaviour have been observed -Crafted. Well, obviously the packets being sent are crafted. The interesting things I've noticed are: -Both the SYN and FIN flags are always set -Identical IP IDs are used by multiple packets -TCP sequence number remains constant for long periods, but only for some scanning hosts. For example, earlier today I saw: 957897140.489011 a.b.c.d.0 > x.y.z.n.109: SF 1462829056:1462829056(0) win 512 4500 0028 5c01 0000 ..06 .... .... .... .... .... 0000 006d 5731 0000 0000 0000 5003 0200 .... 0000 0000 0000 0000 ...and then, hours later... 957902290.082516 a.b.c.d.0 > x.y.z.{n+4}.109: SF 1412497408:1412497408(0) win 512 4500 0028 2304 0000 ..06 .... .... .... .... .... 0000 006d 5431 0000 0000 0000 5003 0200 .... 0000 0000 0000 0000 957902343.276762 a.b.c.d.0 > x.y.z.{n+4}.109: SF 1462829056:1462829056(0) win 512 4500 0028 2304 0000 ..06 .... .... .... .... .... 0000 006d 5731 0000 0000 0000 5003 0200 .... 0000 0000 0000 0000 Notice that the IP ID changes from the packet sent to x.y.z.n and the packets sent to x.y.z.{n+4}, but the same ID is used for both of the packets sent to x.y.z.{n+4}. In addition, the same TCP sequence number is found on the packet sent to x.y.z.n and then second one sent to x.y.z.{n+4}. I've observed this from sensors on a couple of different networks, so this isn't a single hiccup. - -Steve - ----- 0 At least that's what it looks like from here. It's possible that larger address spaces are being sequentially searched and I just don't have sensors in the places where it's happening. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5GNBKG3kIaxeRZl8RApXLAKDQgda7CRYNBWEUSZfjKhQQYLHZ6gCcCCPX RWuT2LtVYviAXBPheIExbIs= =fn01 -----END PGP SIGNATURE-----
Current thread:
- Re: Port 109 Scans Ed Padin (May 08)
- <Possible follow-ups>
- Re: Port 109 Scans Eric Maiwald (May 08)
- Re: Port 109 Scans Security Guru (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 10)