Security Incidents: Distributed slow scan?

["A.L.Lambert" <alambert () EPICREALM COM>]

        I'm seeing some strange traffic, that looks to me like a
distributed slow scan.

        Packet sig example:

xx/xx-xx:xx:xx x:x:x:x:x:x -> x:x:x:x:x:x type:0x800 len:0x3C
xxx.xxx.xxx.xxx:80 -> xxx.xxx.xxx.xxx:80 TCP TTL:54 TOS:0x0 ID:28446
******A* Seq: 0x3B5 Ack: 0x0 Win: 0x400

        TYPE, ACK, LEN, and TOS are always the same value, but SEQ and ID
appear random.

        Now, I note the src == dst, but the ID: doesn't match the "Mystery
Tool 11" (it seems random actually), nor does the distributed method seem
indicitave of the afforementioned Mystery Tool.

        Other things worthy of note:

        Source IP's are all over the map, but I have noticed a few that
seem to be scattered in the same netblock.

        A single src addr will hit a host in say, 63.x.x.x, another in
216.x.x.x, and another in 62.x.x.x, etc. at a fairly rapid rate (usually a
packet every 30-90 seconds) but a single src addr will never hit two hosts
in the same netblock).

        Cross-referencing the source IP's in my IDS history log's reveals
no history of abuse from either the specific source host's, nor the
netblocks they originate from.

        Ummm... I think that's all I can think of at the moment.  I'll
definitely be investigating this more, but I thought I might throw it out
to the list and let some sharper wits than mine have a look at it, and
maybe get some interesting feedback.  Cheers!

        --A.L.Lambert