RE: Strange "shotgun" scan

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 05/09/02


Date: Thu, 9 May 2002 14:21:19 -0400
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "Ken Hodges" <khodges@wng.com>, <incidents@securityfocus.com>

This could be any number of tools, as most scanners allow for control of speed and/or randomization of target ports, mainly for the purposes if IDS evasion. Keeping in mind that there are two common ways to evade an IDS: go so slow that it doesn't think anything is wrong, or go so fast that the sensor is overwhelmed and drops packets.

This fellow may be trying to overwhelm the sensor by scanning at such a rapid rate that packets are dropped from the buffer before the IDS generates an alert. Or, it could simply have been someone who thought that "nmap -T Insane" would get the job done faster (only an example, as I haven't studied this for any tool-related pattern). Kids these days are impatient.

Cheers

Keith

-----Original Message-----
From: Ken Hodges [mailto:khodges@wng.com]
Sent: Thursday, May 09, 2002 1:30 PM
To: incidents@securityfocus.com
Subject: Strange "shotgun" scan

Has anyone seen this type of scan before? I received close

to 10K scans during a 15 minute period. It appears that the

person was scanning totally random ports on all of my IP

range. Just curious if it is some known program, or if

anyone has seen this before.

Thanks.

Ken.

May 8 18:56:26 24.165.73.85:2070 -> 206.40.XXX.XXA:394 SYN

12****S*

May 8 18:56:26 24.165.73.85:2071 -> 206.40.XXX.XXA:478 SYN

12****S*

May 8 18:56:26 24.165.73.85:2072 -> 206.40.XXX.XXA:770 SYN

12****S*

May 8 18:56:26 24.165.73.85:2073 -> 206.40.XXX.XXA:350 SYN

12****S*

May 8 18:56:26 24.165.73.85:2074 -> 206.40.XXX.XXA:126 SYN

12****S*

May 8 18:56:26 24.165.73.85:2075 -> 206.40.XXX.XXA:3462

SYN 12****S*

May 8 18:56:26 24.165.73.85:2076 -> 206.40.XXX.XXA:1003

SYN 12****S*

May 8 18:56:26 24.165.73.85:2077 -> 206.40.XXX.XXA:1546

SYN 12****S*

May 8 18:56:26 24.165.73.85:2078 -> 206.40.XXX.XXA:980 SYN

12****S*

May 8 18:56:26 24.165.73.85:2079 -> 206.40.XXX.XXA:680 SYN

12****S*

May 8 18:56:27 24.165.73.85:2100 -> 206.40.XXX.XXA:819 SYN

12****S*

May 8 18:56:27 24.165.73.85:2101 -> 206.40.XXX.XXA:749 SYN

12****S*

May 8 18:56:27 24.165.73.85:2102 -> 206.40.XXX.XXA:727 SYN

12****S*

May 8 18:56:27 24.165.73.85:2103 -> 206.40.XXX.XXA:412 SYN

12****S*

May 8 18:56:27 24.165.73.85:2104 -> 206.40.XXX.XXA:5432

SYN 12****S*

May 8 18:56:27 24.165.73.85:2105 -> 206.40.XXX.XXA:554 SYN

12****S*

May 8 18:56:27 24.165.73.85:2106 -> 206.40.XXX.XXA:1989

SYN 12****S*

May 8 18:56:27 24.165.73.85:2107 -> 206.40.XXX.XXA:460 SYN

12****S*

May 8 18:56:27 24.165.73.85:2108 -> 206.40.XXX.XXA:696 SYN

12****S*

May 8 18:56:27 24.165.73.85:2109 -> 206.40.XXX.XXA:1998

SYN 12****S*

May 8 18:56:28 24.165.73.85:2130 -> 206.40.XXX.XXA:867 SYN

12****S*

May 8 18:56:28 24.165.73.85:2131 -> 206.40.XXX.XXA:776 SYN

12****S*

May 8 18:56:28 24.165.73.85:2132 -> 206.40.XXX.XXA:799 SYN

12****S*

May 8 18:56:28 24.165.73.85:2133 -> 206.40.XXX.XXA:1419

SYN 12****S*

May 8 18:56:28 24.165.73.85:2134 -> 206.40.XXX.XXA:970 SYN

12****S*

May 8 18:56:28 24.165.73.85:2135 -> 206.40.XXX.XXA:20 SYN

12****S*

May 8 18:56:28 24.165.73.85:2136 -> 206.40.XXX.XXA:67 SYN

12****S*

And it goes on and on....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Malicious web sites
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: [incident] IIS defacement through FTP, possible DoS
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Distributed ICMP/UDP scan or attack?
    ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
    (Incidents)
  • Re: strange attacks - flood udp packets from 1030 to msql
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Can anyone identify this backdoor?
    ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ...
    (Incidents)