Distributed ICMP/UDP scan or attack?

From: Jason Dixon (jasondixon@myrealbox.com)
Date: 06/16/02

• Previous message: gabriel rosenkoetter: "Re: remote openssh probe or crack?."
• Next in thread: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
• Reply: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
• Reply: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
• Reply: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Jason Dixon <jasondixon@myrealbox.com>
To: incidents@securityfocus.com
Date: 16 Jun 2002 06:49:18 -0400

Hi all:

Please excuse me if this is a newbie question, I'm not sure how to go
about searching for answers on intrustion/scanner patterns and the
like. I noticed this series of scans/connections in my firewall log
this morning. The first thing that came to mind was the Bind 9
vulnerability, but there aren't any exploits available yet, IIRC.

As you can see, there was a series of three icmp queries followed by two
unsuccessful DNS connections. Has anyone seen this?

< Jun 15 15:47:31 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:31 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:32 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:32 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:42 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:43 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:43 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 208.185.54.14 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.15.251.198 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 213.61.6.2 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 207.235.98.194 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.0.96.12 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 209.240.77.130 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 65.119.25.162 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 204.176.88.5 -> x.x.x.x icmp
< Jun 15 15:47:52 dc0 64.14.117.10 -> x.x.x.x icmp
< Jun 15 15:47:53 dc0 212.62.17.145 -> x.x.x.x icmp
< Jun 15 15:48:01 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp
< Jun 15 15:48:01 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp
< Jun 15 15:48:01 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp
< Jun 15 15:48:01 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp
< Jun 15 15:48:01 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp
< Jun 15 15:48:02 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp
< Jun 15 15:48:02 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp
< Jun 15 15:48:02 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp
< Jun 15 15:48:02 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp
< Jun 15 15:48:02 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 64.15.251.198,32865 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 208.185.54.14,1687 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 213.61.6.2,17613 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 207.235.98.194,54613 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 64.0.96.12,50831 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 209.240.77.130,39805 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 65.119.25.162,3058 -> x.x.x.x,53 udp
< Jun 15 15:48:11 dc0 204.176.88.5,8329 -> x.x.x.x,53 udp
< Jun 15 15:48:12 dc0 64.14.117.10,4502 -> x.x.x.x,53 udp
< Jun 15 15:48:12 dc0 212.62.17.145,54557 -> x.x.x.x,53 udp

-- 
Jason Dixon
RHCE
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: gabriel rosenkoetter: "Re: remote openssh probe or crack?."
• Next in thread: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
• Reply: J Jewitt: "Re: Distributed ICMP/UDP scan or attack?"
• Reply: Edward Beheler: "RE: Distributed ICMP/UDP scan or attack?"
• Reply: Boyan Krosnov: "RE: Distributed ICMP/UDP scan or attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Fetch/pass Url to IE? ... Please excuse me if this is a newbie question, but countless searches ... Is there any way to fetch and pass a url to Internet Explorer? ... (microsoft.public.dotnet.languages.vb) Re: calling command line programs? ... > This is probably a very newbie question, but after searching ... > google and docs @ python.org I can't find an answer, ... subprocess modules. ... (comp.lang.python) Re: Does creation time matter? ... Only check this out if you have any love for the truth. ... are searching for is an excuse, please don't waste your time. ... (talk.atheism) Re: A Keyboard Cmd for Inserting New Pages? ... Tony ... > Please excuse this newbie question but I must create ... Prev by Date: ... (microsoft.public.word.newusers) symbolic formulas and numeric data ... Please excuse this newbie question. ... I've been successful at plotting data from a two-variable symbolic ... (comp.soft-sys.matlab)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)