Security Incidents mailing list archives

Strange "port scans" from a spoofed IP

From: "Jon R. Kibler" <Jon.Kibler () aset04 aset com>
Date: Mon, 05 Nov 2001 18:37:04 -0500

Earlier today we started noticing a rather strange "port scan" from two different spoofed IP addresses. Both claim to 
originate from port 80 and have a fixed destination based upon originating IP, as follows:
   192.168.19.82 has destination port 11709
   192.168.19.81 has destination port 13607

The "scans" repeat every 61 seconds. They have been running non-stop since sometime late yesterday. Here is an example 
from snoop of the traffic in question:

150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0
150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618 Seq=159745477 Len=1 Win=0
150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618 Len=0 Win=0
150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864 Seq=2217637423 Len=1 Win=0
150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864 Len=0 Win=0


Has anyone else seen something similar? Since this is clearly not a DOS attack, any idea what would be the purpose of 
such a scan?

Thanks for any and all help/comments.

Sincerely,
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange "port scans" from a spoofed IP Jon R. Kibler (Nov 08)
- <Possible follow-ups>
- RE: Strange "port scans" from a spoofed IP NESTING, DAVID M (SBCSI) (Nov 08)
- RE: Strange "port scans" from a spoofed IP Keith.Morgan (Nov 09)
  - RE: Strange "port scans" from a spoofed IP Jason Robertson (Nov 12)