Re: port 22 scans + 53 scans

From: John Sage (jsage@finchhaven.com)
Date: 10/08/01


Message-ID: <3BC1C3E3.6060207@finchhaven.com>
Date: Mon, 08 Oct 2001 08:18:59 -0700
From: John Sage <jsage@finchhaven.com>
To: Steven S <stevensl@corp.earthlink.net>
Subject: Re: port 22 scans + 53 scans

The tcp:53 probes seem to be some sort of distance-metrics/load
balancing activity.

See:

http://www.incidents.org/archives/intrusions/msg00702.html

To quote:

> These are likely probes to measure Round Trip Time for intelligent load
> balancing using products similar to Cisco's Distributed Director
> http://www.cisco.com/warp/public/cc/pd/cxsr/dd/tech/dd_wp.htm
>
> Port 53 and the SYN/ACK flags are used in an attempt to bypass router filters
> and firewal rules, thus getting a true RTT to the requesting client. That
> allows serving content from the best available server.
>
> If firewalls are dropping these packets, requesting clients may experience
> delays receiving the requested content. Firewalls may receive repeated probes
> from confused content cacheing clients.
>
> A frequently cited user of the SYN/ACK probing technique is Mirror Image
> http://www.mirror-image.com
>
> See inline for a couple of NSLookups that tend to support that. John is spot
> on with his observation:
> All packets have the Ack value one less than the value for Seq, e.g.,
> Seq: 0x1BC3D89A Ack: 0x1BC3D899
>
> Matt Scarborough 2001-06-10
>
>

Principle symptoms: ACK one less than SEQ for any given packet.

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage@finchhaven.com
"The web is so, like, five minutes ago..."

Steven S wrote:

> I got 1 probe from 131.152.102.64 @ 13:57 EDT today to port 22 > > then a flood (81 @ present) of port 53 connection attempts within about 2 > minute time span, nothing before nothing after (so far) > > notice that i got two port 53 attempts in a 12+ hour period then blam! > > spoofed sources? > i was forwarding these packets to from my gateway/router to another host > for analysis (this the F at the end stands for Forward) but the host is > currently down for upgrading. > > > > Oct 6 02:03:21 gw 1525: IP[Src=62.248.158.48 Dst=xxx.xxx.xxx.xxx TCP > spo=02925 dpo=00053]}S06>R06mF > Oct 6 07:00:54 gw 1525: IP[Src=216.153.214.84 Dst=xxx.xxx.xxx.xxx TCP > spo=03997 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP > spo=49722 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP > spo=53496 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP > spo=63217 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP > spo=57907 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP > spo=13583 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP > spo=51224 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP > spo=37503 dpo=00053]}S06>R06mF > Oct 6 15:20:56 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP > spo=54565 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP > spo=39303 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48593 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP > spo=37779 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP > spo=57719 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP > spo=57174 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP > spo=52486 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP > spo=18133 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP > spo=15205 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP > spo=21712 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP > spo=55707 dpo=00053]}S06>R06mF > Oct 6 15:20:57 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP > spo=40535 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48593 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP > spo=37923 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48739 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP > spo=57860 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP > spo=18277 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP > spo=49897 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP > spo=53671 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP > spo=63392 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP > spo=13758 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP > spo=58084 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP > spo=15380 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP > spo=51399 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP > spo=37678 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP > spo=54752 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP > spo=39418 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP > spo=57349 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP > spo=52661 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP > spo=21896 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP > spo=55882 dpo=00053]}S06>R06mF > Oct 6 15:20:59 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP > spo=40710 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP > spo=53714 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP > spo=37721 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP > spo=54785 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP > spo=63435 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP > spo=13801 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP > spo=15423 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP > spo=49940 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP > spo=58127 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP > spo=51442 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP > spo=57935 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP > spo=37995 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48813 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP > spo=57392 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP > spo=18349 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP > spo=52704 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP > spo=21939 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP > spo=55925 dpo=00053]}S06>R06mF > Oct 6 15:21:00 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP > spo=40753 dpo=00053]}S06>R06mF > Oct 6 15:21:01 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48739 dpo=00053]}S06>R06mF > Oct 6 15:21:01 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP > spo=57349 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48813 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP > spo=54935 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48954 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP > spo=53890 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP > spo=37895 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP > spo=63609 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP > spo=15597 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP > spo=13975 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP > spo=50114 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP > spo=58301 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP > spo=51616 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP > spo=58101 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP > spo=38161 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP > spo=57566 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP > spo=18515 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP > spo=52878 dpo=00053]}S06>R06mF > Oct 6 15:21:02 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP > spo=22113 dpo=00053]}S06>R06mF > Oct 6 15:21:03 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP > spo=56099 dpo=00053]}S06>R06mF > Oct 6 15:21:03 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP > spo=40927 dpo=00053]}S06>R06mF > Oct 6 15:21:04 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP > spo=48954 dpo=00053]}S06>R06mF >

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: [opensuse] SuseFirewall IPv4 vs IPv6
    ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
    (SuSE)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: OT .. Road Warrior communications question
    ... The data on the Internet is sent in little packets. ... The packets addressed to port 80 ... Likewise, at the mail server receiving the packets, it knows the return ... Why would e-mail work on the web but not from your e-mail software? ...
    (alt.guitar.bass)
  • Re: Logs: Many hits with source port of 80
    ... The hits from source port 80 to dest port 37852 are IMHO almost ... you should probably see a couple other packets - perhaps ... packets if either you send the load balancer a packet, ... >>I have seen similar hits for the past three months. ...
    (Incidents)
  • Re: Error 720 connecting to server via VPN
    ... By default the router's firewall is configured to drop ICMP packets ... Select WAN Setup> Advanced> Respond to Ping on Internet Port. ... server and the Internet allow GRE packets. ... routers on the user's network are also configured to allow GRE packets. ...
    (microsoft.public.windows.server.sbs)