Security Incidents mailing list archives
Re: Port 109 Scans
From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Wed, 10 May 2000 00:53:39 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I wrote:
Notice that the IP ID changes from the packet sent to x.y.z.n and the packets sent to x.y.z.{n+4}, but the same ID is used for both of the packets sent to x.y.z.{n+4}. In addition, the same TCP sequence number is found on the packet sent to x.y.z.n and then second one sent to x.y.z.{n+4}. I've observed this from sensors on a couple of different networks, so this isn't a single hiccup.
I pulled together all the data I have on the foo:0 > bar:109 scans over the past couple days. Looking at it, it's obvious that what I was describing above is the result of two seperate scans with the same source address, directed at the same destination networks. There are gaps in both scans, and when the same destination address is hit by both, they're staggered by about a minute. Both the IP ID and the TCP sequence number remain constant in each scan. - -Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5GRVeG3kIaxeRZl8RAvLfAKCckK+4CSZE/cxffMIFud2mQuYsNQCg9UDl D678rWnQmvgY6gHwx14T4V8= =LR9W -----END PGP SIGNATURE-----
Current thread:
- Re: Port 109 Scans Ed Padin (May 08)
- <Possible follow-ups>
- Re: Port 109 Scans Eric Maiwald (May 08)
- Re: Port 109 Scans Security Guru (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 10)