RE: New DNS connection with SYN ACK

From: Cloppert, Michael (Michael.Cloppert@53.com)
Date: 01/14/02


From: "Cloppert, Michael" <Michael.Cloppert@53.com>
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
Date: Mon, 14 Jan 2002 10:21:42 -0500

Could it be that you've been been decoy addresses in a portscan?

For instance, hacker (H) wants to attack A. Hacker finds B and C that are
legit, so hacker sends a portscan from H, B, and C to A. The effect of this
is that the analyst at A doesn't know which is the real portscanner (or in
this case scanner for port 53). What B and C see are the responses of the
initial SYN sent to A, since A will be responding to both H, B, and C
thinking that they're legit TCP initiation requests.

HTH. Anyone else have any ideas?

Mike Cloppert

> -----Original Message-----
> From: Richard Arends [mailto:richard@unixguru.nl]
> Sent: Friday, January 11, 2002 1:47 PM
> To: Jerry Perser
> Cc: incidents@securityfocus.com
> Subject: Re: New DNS connection with SYN ACK
>
>
> On 11 Jan 2002, Jerry Perser wrote:
>
> > Here are the 19 ip addresses:
> >
> > 128.121.10.146 128.242.105.34
> > 129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150
> > 202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42
> > 216.33.35.214
> > 216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34
> > 64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14
>
> I'm getting scans for port 53 from the same ip's !
>
> Greetings,
>
> Richard.
>
> ----
> An OS is like swiss cheese, the bigger it is, the more holes you get!
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages