Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Strange scans - inquisitive question

Re: Strange scans - inquisitive question

From: Paul Rogers <paul.rogers_at_MIS-CDS.COM>
Date: Mon, 12 Jun 2000 10:10:34 +0100

I thought that would be the answer - thanks. But surely if they were
"scanning", we wouldn't get 10,000 connections from a host in one "session".
When the source is allegedly a dialup host, this sort of "scanning" would
surely flood their connection?

It's just annoying because the log files start getting large and are a pain
to sort through.

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel: +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax: +44 (0)1622 728580
Website: http://www.mis-cds.com/

> -----Original Message-----
> From: Valdis.Kletnieks_at_vt.edu [mailto:Valdis.Kletnieks_at_vt.edu]
> Sent: 12 June 2000 05:31
> To: Paul Rogers
> Cc: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: Re: Strange scans - inquisitive question
>
>
> On Fri, 09 Jun 2000 10:46:21 BST, Paul Rogers
> <paul.rogers_at_MIS-CDS.COM> said:
> > Last night we received some strange scans with a source
> port of 21 (ftp) and
> > a destination port of 7 (echo). The destination address was
> always the
> > network address. I was just wondering if anyone else had
> seen these scans or
> > whether anyone knew what they were looking for. The scans
> were performed
> > over TCP (protocol 6) and UDP (protocol 17).
>
> Well.. the destination port 7 (echo) over TCP and UDP is pretty
> obviously just scanning your net looking to see what machines answer.
>
> Why source of 21? To fool firewalls into thinking that it's an
> FTP connection, and that the packet in question is a return packet
> for something you sent to their well-known-port.
>
> Yes, that only works for TCP, since FTP doesn't run over UDP,
> but there's probably enough firewalls out there that blindly
> allow port 21 traffic without further sanity checking that using 21
> as the source port is A Big Win for the scanner...
>
> Valdis Kletnieks
> Operating Systems Analyst
> Virginia Tech
>

**********************************************************************
The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited.

The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400.
**********************************************************************
Received on Jun 14 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos