Security Incidents mailing list archives

Re: Port 109 Scans

From: spb () MESHUGGENEH NET (Stephen P. Berry)
Date: Wed, 10 May 2000 00:53:39 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wrote:

Notice that the IP ID changes from the packet sent to x.y.z.n and
the packets sent to x.y.z.{n+4}, but the same ID is used for both
of the packets sent to x.y.z.{n+4}.  In addition, the same TCP
sequence number is found on the packet sent to x.y.z.n and then second
one sent to x.y.z.{n+4}.  I've observed this from sensors on a couple
of different networks, so this isn't a single hiccup.


I pulled together all the data I have on the foo:0 > bar:109 scans
over the past couple days.  Looking at it, it's obvious that what I
was describing above is the result of two seperate scans with the
same source address, directed at the same destination networks.  There
are gaps in both scans, and when the same destination address is hit
by both, they're staggered by about a minute.  Both the IP ID and the
TCP sequence number remain constant in each scan.

- -Steve

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5GRVeG3kIaxeRZl8RAvLfAKCckK+4CSZE/cxffMIFud2mQuYsNQCg9UDl
D678rWnQmvgY6gHwx14T4V8=
=LR9W
-----END PGP SIGNATURE-----

Current thread:

Re: Port 109 Scans Ed Padin (May 08)
- <Possible follow-ups>
- Re: Port 109 Scans Eric Maiwald (May 08)
- Re: Port 109 Scans Security Guru (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 09)
- Re: Port 109 Scans Stephen P. Berry (May 10)