RE: UDP Port Sweep question

From: Billy Dodson (billy_at_pmm-i.com)
Date: 12/29/04

  • Next message: David Gillett: "RE: UDP Port Sweep question" 
    Date: Wed, 29 Dec 2004 12:34:45 -0600
To: <dparker@bridonsecurity.com>

    Here is some more info regarding the port sweeps. The port the client
    is being hit on seems to vary. The client is being hit on the same 8
    port range from each IP port 33434-33460. All 3 sensors from the 3
    different clients show the same destination port range. The sensors are
    cisco IDS sensors and I am unsure as to how to get the actual packet
    from the event.

    -----Original Message-----
    From: Don Parker [mailto:dparker@bridonsecurity.com]
    Sent: Tuesday, December 28, 2004 5:12 PM
    To: incidents@securityfocus.com; 'Billy Dodson'
    Subject: Re: UDP Port Sweep question

    Hello Billy,

    Might I suggest you post some of the packets here? It is hard to make
    judgement
    calls without something to look at. Just sanitize the ip's prior to
    posting the
    packets.

    Cheers,

    Don

    --------------------------------------------------------------
    Don Parker, GCIA GCIH
    Intrusion Detection & Incident Handling Specialist
    Bridon Security & Training Services
    http://www.bridonsecurity.com
    voice: 1-613-302-2910
    --------------------------------------------------------------

    On Tue, 28 Dec 2004 22:31 , 'Billy Dodson'
    <CraftedPacket@securitynerds.org> sent:

    >I monitor 3 different sensors which are continuously pounded with
    network
    >reconnaissance of all types. These sensors all belong to financial
    >institutions. One thing that jumped out at me are "UDP Port Sweeps"
    >events from about 15 different IP addresses which all belong to either
    IBM
    >or Sequent (which was bought by IBM). I see these same IP addresses
    doing
    >the same thing on all three sensors. I have contacted the clients and
    >they do not deal with IBM or Sequent in any way. Are there legitimate
    type
    >traffic
    >that would cause these events to fire? It is odd to me that I see them
    on
    >all 3 sensors for 3 different companies but all happen to be in the
    >financial industry. Thanks in advance for your input.

  • Next message: David Gillett: "RE: UDP Port Sweep question"

    Relevant Pages

    • Re: thin client com ports
      ... I'm glad that you got at least one more client working! ... MCSE, CCEA, Microsoft MVP - Terminal Server ... the COM port settings? ... I am testing several thin clients. ...
      (microsoft.public.windows.terminal_services)
    • Re: network installation manager
      ... there is a firewall between master and client machines, ... NIM Communication within a Firewall Environment ... master via nimclient calls to the nimesis daemon. ... reserved port range of 1023-513. ...
      (comp.unix.aix)
    • help: using smtp.gmail.com as SMART_HOST
      ... with my Google gmail address. ... is pop.gmail.com, using port 995. ... Retrieving mail is not the problem since my Google searches ... client, I believe the term is) to send my mail to Google's ...
      (comp.mail.sendmail)
    • Re: Unable to print to networked printer - get access denied messa
      ... Check the permissions on the server assuming the client has a true RPC ... How is the Standard TCP/IP port configured for the device? ...
      (microsoft.public.windowsxp.print_fax)
    • Re: Why encapsulate state pattern......
      ... >>>without changing the interface nor the object's identity. ... >> closing an already closed port. ... is that the client has to track a rule that says old states need to be ... is open, in order to send data, so it needs to know that open, opens ...
      (comp.object)