Distributed Scans?

From: E. Larry Lidz (ellidz@eridu.uchicago.edu)
Date: 12/10/01


To: incidents@securityfocus.com
Date: Mon, 10 Dec 2001 15:03:52 -0600
From: "E. Larry Lidz" <ellidz@eridu.uchicago.edu>


Hello,

Starting slightly over a week ago, we've started seeing what looks like
coordinated distributed scans. We've seen four or five of them come
across our class B in that time. Each time, somewhere around eighty
systems scan our network. Each IP seems to scan about a thousand
machines on our network, all within the same basic time period (within
a few minutes of each other). The scans have either been for ftp or
ssh.

Normally, I'd expect that it was the nmap decoy mode. However, three
things seem to indicate that this isn't the case: first, the scans have
complete TCP connections -- full handshakes are made. Second, each IP
is scanning a slightly different part of our network. Third, we've
reported some of these to the sources and gotten confirmations that the
machines we saw the scans come from were compromised.

I'm guessing that there's a new tool out there. Anyone else seeing
this sort of activity? Anyone have a copy of the tool?

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Sr. Network Security Officer                         Fax:   (773)834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Can find Vista box, cant share folders or printers.
    ... When I click 'Network' on the laptop the ... I've disabled Norton and Windows firewall entirely to make sure that's not ... public folder sharing - on ... start by running the Network Setup Wizard on all machines (see ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: XP to Vista -- only halfway there
    ... concerning networks that combine Vista and XP machines. ... I am setting up an inhouse network that links together three machines, ... by 1) a misconfigured firewall or overlooked firewall (including stateful ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: SBS 2003 Win XP/2000 Pro Clients TCP/IP Problems
    ... network and no DHCP services provided by any machines still on the network. ... Check all machines for DNS entries. ... It really sounds like a IP Address conflict the way the server stops ... > PCs, 3 of which are running Windows XP Pro, the rest 2000 Pro. ...
    (microsoft.public.windows.server.sbs)
  • Re: Audacity and Gentoo
    ... can only pick up radio 4 when using the TV aerial to ... I freak if my machines disagree by more than about 50 ... > ADSL cable, 2 power cables, one network ...
    (uk.comp.os.linux)
  • Re: Active Directory Setup Advice
    ... A domain is really an entity with a single security remit. ... seen as on the same network it will be like one big network. ... Under one domain all machines have to be unique in naming scheme. ... sub domains you can have same names under different domain. ...
    (microsoft.public.windows.server.active_directory)