Re: Receiving constant hits from random hosts

From: Jeffrey Denton (dentonj@c2i2.com)
Date: 07/10/02


Date: Wed, 10 Jul 2002 07:47:40 -0700 (MST)
From: Jeffrey Denton <dentonj@c2i2.com>
To: focus-linux@securityfocus.com

On Sat, 6 Jul 2002, Adam Young wrote:

> I get this above scan, along with scans on default 1080/3128(or whatever
> squids port is), and all of these are hourly, almost as if someone has
> setup a cron job to scan my system on the hour each hour. Is this
> normal? I've never seen it so prevelant in my system logs, so I figured
> I'd post. Any ideas or comments would be greatly appreciated.

It looks like someone is scanning for proxies. If the scans seem to coming from
all over the place, then most likely the individual is spoofing the source IP's.
In that case, there's not much you can do about it other then block those ports.
If the above IP's are valid, then it's possible that someone r00t'd a broadband
host (very likely) and is looking for more broadband hosts to compromise.
Someone who is scanning that often is going to get caught sooner than later
because of the amount of noise and traffic they are generating.

The only way to really tell if an IP is not spoofed is to look at the TTL. The
default TTL's are usually 32, 64, 128, or 255. The default setting will vary
depending on the OS and can even be manually changed (this is done very rarely).
The are a few places that list what the default TTL's are for the various OS's.
Looking at those scans I would assume that the default TTL that the source is
using is 128 and they are 17 hops away from you. If you run a traceroute on
that IP and they are 17 hops away, then more than likely the source IP was not
spoofed. If the number of hops between you is different, then the source was
spoofed (or they changed the default TTL) and there is really no way to
determine where the scans originated. It is possible that a spoofed IP will
have the same number of hops that the real one has. If an attacker scans you
with spoofing enabled and you receive scans from 10 different IP's, then one of
them should (keyword) be the actual source (the attacker has to get the results
back somehow). Someone who knows what they are doing will make determining the
actual source difficult and they may simply be sitting on the local network of
one of the IP's sniffing the responses.

So there is no real way to accurately determine the actual source of the scans.
Because of this, complaining to what you think the source might be (or their
admin/abuse dept.) is generally a waste of time for both sides. Sorry.

dentonj

--
chown me /world



Relevant Pages

  • Re: Traces
    ... I just pointed out to the original poster that he could use TTL ... triangulation to infer which router the attacker is attached to. ... >hops on a corporate network might be manageable, ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. ...
    (Security-Basics)
  • RE: Traces
    ... Coorelating TTL is how the hunt for timex.0 at sans was set up. ... There is a great writeup in Stephen Northcutt's 'Network ... Using TTL and the perfect Internet map you can figure out a set of routers ... which are n hops away from you. ...
    (Security-Basics)
  • Re: Ping, traceroute and ttl?
    ... One of my main concerns is ttl. ... > hops a package is allowed to make before being discarded? ... > i use ping i get the following: ... trying to ascertain the bottleneck/problem in the route to the host - if the ...
    (comp.os.linux)
  • Re: Unterschiedliche Ergebnisse bei Traceroute
    ... dass alle Drei Probes mit dieser TTL (linke ... Zahl) keine Antwort - weder vom Ziel noch einem router unterwegs) ... Der Zielrechner ist 4 Hops entfernt. ... traceroute to remotehost, 30 hops max, 40 byte packets ...
    (de.comp.os.unix.networking.misc)