RE: Strange "port scans" from a spoofed IP

["NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>]

Are you sure these are not responses to *outbound* HTTP requests to a
malfunctioning load-balancing system?

It looks to me like you have two source ports originating connections to
some web server farm, and that web server farm is trying to respond from one
of its internal IP addresses instead of the external IP address you're
connecting to.

It's certainly possible this is some kind of obscure attack, but I have seen
this behavior before (and multiple times on this mailing list), so I'd look
to that as a possible explanation.  Maybe you have a web page open that's
trying to refresh two banner advertisements once a minute.  ?

David

-----Original Message-----
From: Jon R. Kibler [mailto:Jon.Kibler () aset04 aset com]
Sent: Monday, November 05, 2001 5:37 PM
To: incidents () securityfocus com
Subject: Strange "port scans" from a spoofed IP


Earlier today we started noticing a rather strange "port scan" from two
different spoofed IP addresses. Both claim to originate from port 80 and
have a fixed destination based upon originating IP, as follows:
   192.168.19.82 has destination port 11709
   192.168.19.81 has destination port 13607

The "scans" repeat every 61 seconds. They have been running non-stop since
sometime late yesterday. Here is an example from snoop of the traffic in
question:

150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618
Seq=159745477 Len=1 Win=0
150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618
Len=0 Win=0
150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864
Seq=2217637423 Len=1 Win=0
150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864
Len=0 Win=0
150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618
Seq=159745477 Len=1 Win=0
150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618
Len=0 Win=0
150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864
Seq=2217637423 Len=1 Win=0
150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864
Len=0 Win=0
150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618
Seq=159745477 Len=1 Win=0
150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618
Len=0 Win=0
150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864
Seq=2217637423 Len=1 Win=0
150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864
Len=0 Win=0
150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618
Seq=159745477 Len=1 Win=0
150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618
Len=0 Win=0
150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864
Seq=2217637423 Len=1 Win=0
150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864
Len=0 Win=0
150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80     Ack=924387618
Seq=159745477 Len=1 Win=0
150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 Rst Seq=924387618
Len=0 Win=0
150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80     Ack=915790864
Seq=2217637423 Len=1 Win=0
150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 Rst Seq=915790864
Len=0 Win=0


Has anyone else seen something similar? Since this is clearly not a DOS
attack, any idea what would be the purpose of such a scan?

Thanks for any and all help/comments.

Sincerely,
Jon R. Kibler
Systems Architect
Advanced Systems Engineering Technology, Inc.
Charleston, SC

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com