Security Incidents mailing list archives
Automated, Distributed Port Scan
From: ellidz () ERIDU UCHICAGO EDU (E. Larry Lidz)
Date: Mon, 8 May 2000 14:30:21 -0500
We seem to have been the victims of what appears to be an automated distributed port scan. Over the weekend we were scanned for Netbus by 30 (or so) different machines. We have comfirmed that there was two-way tcp traffic to at least one host on our network, so we do not believe that the source was spoofed. Each scan scanned a different set of machines on our network. From a quick look, there appears to have been little to no overlap (that is, machinea was not scanned from any two different sources). Looking at the times and the source of the scans, most of the scans lasted almost exactly 20 minutes -- this makes me think that it is likely automated. Sometimes there were pauses between the scans, sometimes there wasn't. The scans came from a variety of sites, but generally standard targets -- ISPs, Brazil, Korea, Austria, etc. -Larry --- E. Larry Lidz Phone: (773)702-2208 Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: finger ellidz () uchicago edu or network-security () uchicago edu
Current thread:
- Automated, Distributed Port Scan E. Larry Lidz (May 08)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)
- Re: Automated, Distributed Port Scan Jose Nazario (May 10)
- IP Black list? Stuart Staniford (May 11)
- Re: IP Black list? Travis Pugh (May 15)
- Re: IP Black list? Jose Nazario (May 15)
- Re: IP Black list? Paul L Schmehl (May 15)
- Re: IP Black list? Travis Pugh (May 16)
- Re: IP Black list? Sebastien Berube (May 15)
- Odd scans of tcp port 12345 Russell Fulton (May 15)
- Re: Odd scans of tcp port 12345 Shadow Boxer (May 16)
- Re: Automated, Distributed Port Scan Martin Ixter (May 09)