Security Incidents mailing list archives

Re: Strange scans - inquisitive question

From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Mon, 12 Jun 2000 00:30:31 -0400


On Fri, 09 Jun 2000 10:46:21 BST, Paul Rogers <paul.rogers () MIS-CDS COM>  said:

Last night we received some strange scans with a source port of 21 (ftp) and
a destination port of 7 (echo). The destination address was always the
network address. I was just wondering if anyone else had seen these scans or
whether anyone knew what they were looking for. The scans were performed
over TCP (protocol 6) and UDP (protocol 17).


Well.. the destination port 7 (echo) over TCP and UDP is pretty
obviously just scanning your net looking to see what machines answer.

Why source of 21?  To fool firewalls into thinking that it's an
FTP connection, and that the packet in question is a return packet
for something you sent to their well-known-port.

Yes, that only works for TCP, since FTP doesn't run over UDP,
but there's probably enough firewalls out there that blindly
allow port 21 traffic without further sanity checking that using 21
as the source port is A Big Win for the scanner...

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Current thread:

Re: Microsoft version.binding us now?, (continued)
- - Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
  - Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
  - Scan of the Week continued Lance Spitzner (Jun 03)
  - very strange scan patterns Joe H (Jun 05)
    - Re: very strange scan patterns John Kristoff (Jun 05)
    - Sub-7 Khan, Mansoor (Jun 05)
    - Re: Sub-7 James Stevenson (Jun 08)
    - Re: Sub-7 Matthew F. Caldwell (Jun 08)
    - Re: Sub-7 nine (Jun 08)
    - Strange scans - inquisitive question Paul Rogers (Jun 09)
    - Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
    - What is this guy doing? Josh Burroughs (Jun 05)
    - Re: What is this guy doing? Sebastien Reister (Jun 08)
    - AW: What is this guy doing? Peter Roth (Jun 08)
    - Port 6347 Dante Mercurio (Jun 08)
    - Re: Port 6347 Brian Macke (Jun 08)
    - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)
    - Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
    - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)

(Thread continues...)