Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Distributed ICMP/UDP scan or attack?
From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Tue, 18 Jun 2002 00:42:48 +0300
Do not block all ICMP unless you understand the consequences.
Block ICMP echo only.

http://216.239.51.100/search?q=cache:4gLAFdrzNpQC:www.worldgate.com/~mar
cs/mtu/+ip+pmtu+icmp+problem&hl=en

BR,
Boyan Krosnov, CCIE#8701
Just another techie speaking for himself


-----Original Message-----
From: J Jewitt [mailto:jjewitt2001 () yahoo com] 
Sent: Monday, June 17, 2002 8:31 PM
To: Jason Dixon; incidents () securityfocus com
Subject: Re: Distributed ICMP/UDP scan or attack?



   Looks to me like a ping followed by a UDP connect.
Ten Extra IP addresses were probably inserted as
decoys.
   I would assert that only one of those eleven IPs
are your scanner.
   I believe that NMAP would look like this, if
configured to ping first and use ten decoys. Blocking
icmp at your firewall is a good way mitigate blind
scans.

     J Jewitt
 



--- Jason Dixon <jasondixon () myrealbox com> wrote:

Hi all:

Please excuse me if this is a newbie question, I'm
not sure how to go
about searching for answers on intrustion/scanner
patterns and the
like.  I noticed this series of scans/connections in
my firewall log
this morning.  The first thing that came to mind was
the Bind 9
vulnerability, but there aren't any exploits
available yet, IIRC.

As you can see, there was a series of three icmp
queries followed by two
unsuccessful DNS connections.  Has anyone seen this?
 

< Jun  15  15:47:31  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:31  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:31  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:31  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:31  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:31  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:32  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:32  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:42  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:42  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:42  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:42  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:43  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:43  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  208.185.54.14  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  64.15.251.198  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  213.61.6.2  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  207.235.98.194  -> 
x.x.x.x  icmp
< Jun  15  15:47:52  dc0  64.0.96.12  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  209.240.77.130  -> 
x.x.x.x  icmp
< Jun  15  15:47:52  dc0  65.119.25.162  ->  x.x.x.x
 icmp
< Jun  15  15:47:52  dc0  204.176.88.5  ->  x.x.x.x 
icmp
< Jun  15  15:47:52  dc0  64.14.117.10  ->  x.x.x.x 
icmp
< Jun  15  15:47:53  dc0  212.62.17.145  ->  x.x.x.x
 icmp
< Jun  15  15:48:01  dc0  208.185.54.14,1687  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.15.251.198,32865  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  213.61.6.2,17613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  207.235.98.194,54613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:01  dc0  64.0.96.12,50831  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  209.240.77.130,39805  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  65.119.25.162,3058  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  204.176.88.5,8329  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  64.14.117.10,4502  -> 
x.x.x.x,53  udp
< Jun  15  15:48:02  dc0  212.62.17.145,54557  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.15.251.198,32865  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  208.185.54.14,1687  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  213.61.6.2,17613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  207.235.98.194,54613  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  64.0.96.12,50831  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  209.240.77.130,39805  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  65.119.25.162,3058  -> 
x.x.x.x,53  udp
< Jun  15  15:48:11  dc0  204.176.88.5,8329  -> 
x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  64.14.117.10,4502  -> 
x.x.x.x,53  udp
< Jun  15  15:48:12  dc0  212.62.17.145,54557  -> 
x.x.x.x,53  udp

-- 
Jason Dixon
RHCE




--------------------------------------------------------------
--------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com




__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]