Security Incidents mailing list archives
Re: Scans From 192.168.0.134
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 2 Feb 2001 11:24:11 +1300
On Thu, 1 Feb 2001 10:29:57 -0500 "Douglas P. Brown" <Doug () UNC EDU> wrote:
We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a non-routable address (192.168.0.134) to thousands of ours hosts yesterday. Our IDS setup is only seeing traffic that traverses our main router. Has anyone seen this before? Am I missing something? Any advice or direction you can offer would be greatly appreciated.
hmmm... I've not seen SF scans from these addresses however I do see a whole lot of netbios scans (from trojans) with addresses in reserved ranges: [10.0.0.1] -- hosts 35, times 33, frags 0 udp-137 [10.0.0.2] -- hosts 44, times 40, frags 0 udp-137 [10.0.0.3] -- hosts 14, times 14, frags 0 udp-137 [10.0.0.10] -- hosts 20, times 20, frags 0 udp-137 [192.168.0.1] -- hosts 420, times 151, frags 0 udp-53,udp-137 [192.168.0.2] -- hosts 81, times 64, frags 0 udp-137 [192.168.0.3] -- hosts 38, times 39, frags 0 udp-53,udp-137 [192.168.0.4] -- hosts 46, times 19, frags 0 udp-137 [192.168.1.1] -- hosts 38, times 37, frags 0 udp-137 I've always assumed that these came from networks with misconfigured border filters or NAT (maybe ones that don't filter or translate UDP). In your case, since these are SYN+FIN packets, maybe they went straight through *their* firewall and did not get traslated because of the illegal flag combination. This is why crackers use SF packets. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)
- Re: Scans From 192.168.0.134 Jon O. (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 01)
- Update: Scans From 192.168.0.134 Douglas P. Brown (Feb 01)
- Re: Scans From 192.168.0.134 Russell Fulton (Feb 01)
- Re: Scans From 192.168.0.134 Daniel Martin (Feb 02)
- <Possible follow-ups>
- Re: Scans From 192.168.0.134 James Crooks (Feb 01)
- Re: Scans From 192.168.0.134 Alan Hannan (Feb 01)