Re: 6112/TCP scans

From: Paul Dokas (dokas@cs.umn.edu)
Date: 12/11/01


Date: Tue, 11 Dec 2001 15:18:58 -0600
From: Paul Dokas <dokas@cs.umn.edu>
To: dewt <dewt@kc.rr.com>

On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote:
> On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:
> > Is anyone else seeing large numbers of 6112/TCP scan coming from
> > 63.240.0.0 - 63.242.255.255? I'm seeing about 10/minute destined to
> > random IPs within my networks. The scanning technique looks exactly
> > like the TCPMUX scans that were occuring a few months ago (forgive me,
> > I can't remember what the technique was, just that it was really odd).
> >
> > Obviously, they're looking for vulnerable CDE installations.
> >
> > Paul
>
> 6112 is the port used by blizzard's battlenet, you might just have people
> playing diablo 2,starcraft, or whatever on your network

You know, at first, this sounded right to me. However, over the weekend
and yesterday, my IDS picked up lots of this:

Time Source IP Dest IP Protocol Src Port Dest Port Type Connections/Packets

9-Dec-2001 12:56:27 63.240.202.138 A.B.C.26 6 1248 6112 bad dst port 1
9-Dec-2001 12:56:27 63.240.202.138 A.B.E.27 6 1193 6112 bad dst port 1
9-Dec-2001 12:56:37 63.240.202.138 A.B.F.69 6 1208 6112 bad dst port 1
9-Dec-2001 12:55:56 63.240.202.138 A.B.G.38 6 1128 6112 bad dst port 1
9-Dec-2001 12:56:07 63.240.202.138 A.B.G.43 6 1139 6112 bad dst port 1
9-Dec-2001 12:56:57 63.240.202.138 A.B.D.116 6 1127 6112 bad dst port 1
9-Dec-2001 12:57:37 63.240.202.138 A.B.D.105 6 1099 6112 bad dst port 1
9-Dec-2001 12:57:37 63.240.202.138 A.B.G.100 6 1176 6112 bad dst port 1
.
.
.

Where I've replace my IP addresses with 'A.B.[CDEFG].' All of the packets
were 40bytes and not all of the destination IP addresses are being used.

The source of the packets were 63.240.202.138, 63.240.202.139 and
63.240.202.140, the destination was always 6112/TCP. I've got ~450
packets over the 4 day period from 00:00 GMT+6 12/8 through this morning
for my /21 network.

To me, it looks like there was a slow scan with randomized destinations going
until Friday. Then it seems to have switched to a faster type of scan, or
possibly to just scanning my class A or B network.

Also, there does appear to be legitimate battlenet traffic going to that
area of the Internet. Perhaps someone is scanning from those IPs specifically
to hide within the legit battlenet traffic?

Paul

-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  an enigma wrapped in mystery wrapped in a tortilla.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Nmap scanning speed
    ... > I have to scan a large network. ... is it possible to get good port scanning speed of over 700 ports per second from nmap? ...
    (Pen-Test)
  • Question about "guaranteed delivery"
    ... Currently we have a three-layered network, ... messages to the content scanning devices. ... What we need in short is some sort of black box/software solution/method to ... or do some sort of manual delivery. ...
    (Security-Basics)
  • Re: Whats going on here?
    ... >upstream path portscanning, using source port 80 to fool misconfigured ... Three scenarios, both based on the facts that ZoneAlarm is host-based, ... Scenarion #1: Someone port scanning your system: ... Someone external to your network would receive no ...
    (Incidents)
  • RE: Online Scanning Services Vrs. Stand Alone Applications
    ... online scanning might bee seen just as external ... vulnerability scanning outsourcing, ... >> setup a nessus client at various parts of your network ...
    (Pen-Test)
  • RE: Online Scanning Services Vrs. Stand Alone Applications
    ... someone managing your scanning for you or not". ... technical comparison of the scanners. ... network from running the same attacks with a standalone application on the ... > and have those remote agents send back the findings to the ...
    (Pen-Test)