Distributed Scans?

From: E. Larry Lidz (ellidz@eridu.uchicago.edu)
Date: 12/10/01

To: incidents@securityfocus.com
Date: Mon, 10 Dec 2001 15:03:52 -0600
From: "E. Larry Lidz" <ellidz@eridu.uchicago.edu>


Starting slightly over a week ago, we've started seeing what looks like
coordinated distributed scans. We've seen four or five of them come
across our class B in that time. Each time, somewhere around eighty
systems scan our network. Each IP seems to scan about a thousand
machines on our network, all within the same basic time period (within
a few minutes of each other). The scans have either been for ftp or

Normally, I'd expect that it was the nmap decoy mode. However, three
things seem to indicate that this isn't the case: first, the scans have
complete TCP connections -- full handshakes are made. Second, each IP
is scanning a slightly different part of our network. Third, we've
reported some of these to the sources and gotten confirmations that the
machines we saw the scans come from were compromised.

I'm guessing that there's a new tool out there. Anyone else seeing
this sort of activity? Anyone have a copy of the tool?


E. Larry Lidz                                        Phone: (773)702-2208
Sr. Network Security Officer                         Fax:   (773)834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com