Re: scans on ports 3072 and 1024, why?

[Bill Royds <Bill_Royds () PCH GC CA>]

We have been getting the same traffic hitting our firewall. More interestingly
it is being sent to non-existent hosts behind our firewall  which could never
have sent the original packets and we do not allow IRC out anyway. It could be
replies to spoofed packets or a way of probing for servers.
Here are some firewall logs (sanitized as to our address) showing this:


logfile.20001224:Dec 24 16:15:58.327 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(dalnet.away.net[199.173.178.1]->server.seg.ip.83: Protocol=TCP[SYN ACK] Port
6667->3072) received on interface external.ip.address
logfile.20001224:Dec 24 16:36:05.964 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(irc2.erols.com[207.96.122.252]->server.seg.ip.88: Protocol=TCP[SYN ACK] Port
6667->3072) received on interface external.ip.address
logfile.20001224:Dec 24 16:36:05.964 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(irc2.erols.com[207.96.122.252]->server.seg.ip.88: Protocol=TCP[RST ACK] Port
6667->3072) received on interface external.ip.address
logfile.20001224:Dec 24 16:52:28.768 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(ircd.east.gblx.net[208.50.84.44]->server.seg.ip.84: Protocol=TCP[RST] Port
52770->45062) received on interface external.ip.address
logfile.20001224:Dec 24 19:43:59.644 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(dalnet.splitrock.net[209.254.98.88]->server.seg.ip.94: Protocol=TCP[SYN ACK]
Port 6667->1024) received on interface external.ip.address
logfile.20001224:Dec 24 19:43:59.645 gate kernel: 232 Sending ICMP host
(prohibited) unreachable. Original packet
(dalnet.splitrock.net[209.254.98.88]->server.seg.ip.94: Protocol=TCP[RST ACK]
Port 6667->1024) received on interface external.ip.address


There are many more like this.






Conor McGrath <conormc () uchicago edu> on 12/28/2000 02:42:27 PM

Please respond to Conor McGrath <conormc () uchicago edu>



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: scans on ports 3072 and 1024, why?






We've been seeing lots of scans of ip's in our address space with the
destination ports of 1024 and 3072.  They are always paired like that,
although they don't hit the same ip on both ports, as far as I can tell.
The source ports are most often typical irc server ports (6667 and 6668)
but sometimes they sourced from ports 80 and 7325.

It's not IRC traffic, as IRC servers aren't supposed to be sending packets
to 6400 different ip's in one class B range without having 6400 different
clients connect first.  Also, often it is only one packet being sent.

Now, a number of the suspect machines are Dalnet servers, but there is also
a Microsoft web server and a few other random hosts that are not, as far
as I can tell, running any kind of irc service.

If someone really would like them I could provide sanitized netflow logs,
but it's a lot of data so I won't post any of it without someone asking.

As I look back at the flow summaries from months ago (we don't keep the
actual logs themselves around for very long) I can see that this started
very subtly on the 30th or 31st of July.  Since the 24th of December the
intensity has picked up quite a bit.  In the last five days we have been
scanned by more than a dozen different hosts.  Since July I would guestimate
that number to be at least three times that many.

So, any ideas?


--

Conor McGrath                                           Phone: (773)702-7611
Network Security Officer                                Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml