Security Incidents mailing list archives
Re: Scan combining internal/external
From: Rich Puhek <rpuhek () etnsystems com>
Date: Tue, 26 Feb 2002 14:14:18 -0600
"Stephen W. Thompson" wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yesterday afternoon I saw apparently-coordinated scans which absolutely confuse me. I'd appreciate hearing from anyone who has seen anything similar or who has a likely explanation. First, I have my main machine which has Linux with an ipchains firewall. On the same subnet I have a linux box with a non-recent Snort IDS configuration monitoring the subnet. The logs below show: 1) My ipchains logs showing several of *our* machines from diverse subnets making from 1 to 6 connection attempts to *my* personal machine, the first at 15:18, then a bunch from 16:29 to 16:31:50. All but the first have source port tcp/6667 to various destination ports. 2) Snort logs revealing a scan by an external IP of many machines on my subnet, source and destination ports tcp/6667, lasting from 16:31:46 to 16:31:47.
Are you ingress filtering? (Does your router block incoming packets with source IP address = your subnets?). If not, I'd suggest doing so. ipchains is fine and good, but ingress filtering will prevent bad guys from pretending to be from your network. Could be the attacker is not real sophisticated, and is doing something like: nmap -sS -g 6667 -Dyour_ip_1,your_ip_2,your_ip_3 your_target_machine which is really pretty pointless, since you've easily identified the source of the scan... _________________________________________________________ Rich Puhek ETN Systems Inc. _________________________________________________________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Scan combining internal/external Stephen W. Thompson (Feb 26)
- Re: Scan combining internal/external Rich Puhek (Feb 26)