mailing list archives
Re: Serious Offshore Probes Detected & Defeated
From: "David J. Bianco" <david () vorant com>
Date: Mon, 01 Oct 2007 14:49:01 -0400
Hello, Jeffrey. I don't wish to sound too skeptical about your findings,
but I have a few questions about your findings. I have inserted them
into the text below.
jes1 () comcast net wrote:
(1) There are seven active sites in China:
188.8.131.52 - CNCGROUP Heilongjiang province network -Mudanjiang
184.108.40.206 - ChinaNet Guangdong Province Network - Guangzhou
220.127.116.11 - Data Communication Division - Beijing
18.104.22.168 - CNCGROUP Heilongjiang province network - Mudanjiang
22.214.171.124 - CNC Group Hebei province network - Hebei
126.96.36.199 - CHINANET Shanxi(SN) province network - Beijing
188.8.131.52 - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang
Of the seven sites listed above, 184.108.40.206 has attempted the most intense attack, installing Remote Access Java
Scripts as defined in my previous e-mail on detecting the China attack methods. None of the seven sites above were
successful against Shadow. All probes/attacks were detected and stopped.
Could you elaborate on the types of attacks you're seeing? "Installing
Remote Access Java Scripts" is not quite as useful without knowing how they
are attempting to do that. Was there a specific exploit they tried to
use to deface your website, or a certain misconfiguration they were
taking advantage of?
(2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each
from a different city in China.
Sorry, but five doesn't seem to be a very high number. I see lots of
probes every day, much more than five. Also, can I assume that these
look more like automated, mass attacks rather than something more targeted
to the organization?
(3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer
depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP
combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet
and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.
I assume that you're not trying to say that you've just discovered how
port sweeps work. Most mass attack tools work the way you describe.
If this is the state of your art, could that explain the low number for
#2? Or is there something else here that your writeup didn't really
(4) The other probes/attacks were from the following:
220.127.116.11 - Hanaro Telecom Co. - South Korea - Seocho
18.104.22.168 - CPSOFT - Australia - No City Identified
22.214.171.124 - Easynet Belgium, Cypres - Belgium - Brussel
126.96.36.199 - Shaw Communications - Canada - No City Identified
Again, without some information about what probes and attacks you saw
from these addresses, I have no way to evaluate the seriousness of
the activity. Would you care to elaborate?