Re: Scan combining internal/external

From: Rich Puhek (rpuhek@etnsystems.com)
Date: 02/26/02 

Date: Tue, 26 Feb 2002 14:14:18 -0600
From: Rich Puhek <rpuhek@etnsystems.com>
To: thompson@isc.upenn.edu

"Stephen W. Thompson" wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yesterday afternoon I saw apparently-coordinated scans which
> absolutely confuse me. I'd appreciate hearing from anyone who has
> seen anything similar or who has a likely explanation.
>
> First, I have my main machine which has Linux with an ipchains
> firewall. On the same subnet I have a linux box with a non-recent
> Snort IDS configuration monitoring the subnet.
>
> The logs below show:
> 1) My ipchains logs showing several of *our* machines from diverse
> subnets making from 1 to 6 connection attempts to *my* personal
> machine, the first at 15:18, then a bunch from 16:29 to 16:31:50.
> All but the first have source port tcp/6667 to various destination
> ports.
> 2) Snort logs revealing a scan by an external IP of many machines on
> my subnet, source and destination ports tcp/6667, lasting from
> 16:31:46 to 16:31:47.
>

Are you ingress filtering? (Does your router block incoming packets with
source IP address = your subnets?). If not, I'd suggest doing so.
ipchains is fine and good, but ingress filtering will prevent bad guys
from pretending to be from your network.

Could be the attacker is not real sophisticated, and is doing something
like:

nmap -sS -g 6667 -Dyour_ip_1,your_ip_2,your_ip_3 your_target_machine

which is really pretty pointless, since you've easily identified the
source of the scan...

_________________________________________________________
                         
Rich Puhek
ETN Systems Inc.
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Scan combining internal/external
    ... Snort IDS configuration monitoring the subnet. ... My ipchains logs showing several of *our* machines from diverse ... Snort logs revealing a scan by an external IP of many machines on ... my subnet, source and destination ports tcp/6667, lasting from ...
    (Incidents)
  • RE: [fw-wiz] Netscreen email logging
    ... The only idiosyncracy in the test network is that since I'm using the ... to that subnet is fine, I can send traffic both ways normally. ... either tried or failed to send email logs. ... I've also looked at the SMTP server logs and there's no indication ...
    (Firewall-Wizards)
  • Sharing,Security,Remote Access - Software/Hardware? Which?
    ... his own IP in the subnet but for the outsiders, it should seem the same IP. ... violate company policy - the only issue is that getting other ports is more ... easier with software than with hardware due to administrative hell – e.g. ... (i.e. behind the organization firewall), considering I have only ports 80 ...
    (comp.security.firewalls)
  • Sharing,Security,Remote Access - Software/Hardware? Which?
    ... his own IP in the subnet but for the outsiders, it should seem the same IP. ... violate company policy - the only issue is that getting other ports is more ... easier with software than with hardware due to administrative hell – e.g. ... (i.e. behind the organization firewall), considering I have only ports 80 ...
    (comp.security.firewalls)
  • Sharing,Security,Remote Access - Software/Hardware? Which?
    ... his own IP in the subnet but for the outsiders, it should seem the same IP. ... violate company policy - the only issue is that getting other ports is more ... easier with software than with hardware due to administrative hell – e.g. ... (i.e. behind the organization firewall), considering I have only ports 80 ...
    (comp.security.firewalls)