Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Scans From 192.168.0.134

Re: Scans From 192.168.0.134

From: James Crooks <james.crooks_at_CA.PWCGLOBAL.COM>
Date: Thu, 1 Feb 2001 13:50:22 -0500

As Alan Hannan <alan_at_ROUTINGLOOP.COM> has noted, the 192.168.0.134 traffic may
have been noise from an NMAP scan and there may be a few probes from real
addresses in your 8000+ log entries.

There are a couple of other possibilities:
- SYNFIN scans always trigger IDS, and traffic from a non-routable address
should also raise some flags, perhaps this is a DoS attack against your time and
focus and maybe the black hat(s) were trying other, less protected doors at the
same time: attack(s) that your IDS missed, web application attack transparent to
IDS and firewall, etc. etc.
- the black hat(s) may have some way of monitoring your traffic upstream to see
the responses (unless you or someone upstream from you filters to prevent
transit of RFC 1918 addresses - I inadvertantly did a traceroute to an RFC 1918
address and the traffic was using default routes to head for the Internet Root
Routing engines)
- ISP's and other upstream aggregators sometimes use RFC 1918 address for
intermediate routers and back-end support machines, if the black hats were able
to take over such an "inside" system you'd see what you saw (I've seen reports
of traceroutes reporting intermediate gateway addresses from the RFC 1918 range,
I've even done reverse DNS lookups on RFC 1918 addresses and got back responses
from a well-known service provider's name space)

/jc

"Douglas P. Brown" <Doug_at_UNC.EDU> on 02/01/2001 07:29:57 AM

Please respond to "Douglas P. Brown" <Doug_at_UNC.EDU>
To: INCIDENTS_at_SECURITYFOCUS.COM
cc:
Subject: [INCIDENTS] Scans From 192.168.0.134

We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a
non-routable address (192.168.0.134) to thousands of ours hosts
yesterday. Our IDS setup is only seeing traffic that traverses our main
router. Has anyone seen this before? Am I missing something? Any
advice or direction you can offer would be greatly appreciated.

Cheers,
-DpB 

--
Douglas P. Brown
University of North Carolina
I.T. Security Consultant
105 Abernethy Hall
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.  Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited.   If you received this in error, please
contact the sender and delete the material from any computer.
Received on Feb 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos