nanog mailing list archives
Re: Customer-facing ACLs
From: Justin Shore <justin () justinshore com>
Date: Sat, 08 Mar 2008 12:27:37 -0600
It varies widely. I see some extremely slow scans (1 SYN every 2-5 minutes). This is what someone on the SANS ISC page mentioned I believe.
I've also seen scans last for up to 10 minutes. The consistency of the speeds made me think that perhaps the scanning computer was on a slow link.
The worst scans are the ones that last a second or two and hit us with a SYN for every IP in our allocations. That kind of scan and its flood of packets is the one that I don't think I can stop without some sort of QoS.
I've seen coordinated scans with everything from 2 to about a dozen different hosts scanning seemingly random IPs across our network. I know it's coordinated though because together they hit every IP but never hit the same IP by more than one scanner.
I've seen scans that clearly learn where the accessible SSH daemons are, that then feed this info back to the puppet master so he can command a different compromised host (or hosts) to then handle the attacks. I've also see a scanner first scan our network and then immediately start pounding on the accessible daemons. Finally I've see the scanner stop its scan in mid-stream, pound on an accessible daemon for a while with a pre-defined set of userids and then continue on with the scans.
Clearly there's some variation in the scanning methods. Justin Frank Bulk wrote:
The last few spam incidents I measured an outflow of about 2 messages per second. Does anyone know how aggressive Telnet and SSH scanning is? Even if it was greater, it's my guess there are many more hosts spewing spam thanthere are running abusive telnet and SSH scans.
Current thread:
- Re: Customer-facing ACLs, (continued)
- Re: Customer-facing ACLs Joel Jaeggli (Mar 07)
- Re: Customer-facing ACLs Scott Weeks (Mar 07)
- RE: Customer-facing ACLs Carpenter, Jason (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Andy Dills (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Mark Foster (Mar 07)
- RE: Customer-facing ACLs Frank Bulk (Mar 07)
- Re: Customer-facing ACLs Joel Jaeggli (Mar 07)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 08)
- Re: Customer-facing ACLs Justin Shore (Mar 08)
- RE: Customer-facing ACLs Frank Bulk - iNAME (Mar 08)
- Re: Customer-facing ACLs Dave Pooser (Mar 07)
- Re: Customer-facing ACLs Mark Foster (Mar 07)
- Re: Customer-facing ACLs Dave Pooser (Mar 08)
- Re: Customer-facing ACLs Jay Hennigan (Mar 08)
- Re: Customer-facing ACLs William Norton (Mar 08)
- NANOG laptops (was Re: Customer-facing ACLs) David Conrad (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Randy Bush (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Jason Lixfeld (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Paul Vixie (Mar 09)