Re: Automated, Distributed Port Scan

[epadin () WAGWEB COM (Ed Padin)]

When you get scanned by a bunch of hosts but only one seems to engage in
two-way comm it's probably the nmap spoof/decoy option.

> From nmap help screen:
"* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys"

It spoofs a bunch of addresses but only one is the real culprit. It's
supposed to confuse the target admin by using all the addresses and making
it hard to trace the real guy. In your case, it looks like you found the
real address that was scanning you. I wouldn't worry about it too much tho.
These types of scans happen all the time. There are thousands of script
kiddies out there looking to exploit systems. You can go to www.samspade.org
and find info on your culprit. I wouldn't complain to their ISP unless it
keeps happening. It's probably not a bad idea to scan your network your self
for known exploits.

> -----Original Message-----
> From: E. Larry Lidz [mailto:ellidz () ERIDU UCHICAGO EDU]
> Sent: Monday, May 08, 2000 3:30 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Automated, Distributed Port Scan
>
>
> We seem to have been the victims of what appears to be an automated
> distributed port scan. Over the weekend we were scanned for Netbus by
> 30 (or so) different machines. We have comfirmed that there was two-way
> tcp traffic to at least one host on our network, so we do not believe
> that the source was spoofed.
>
> Each scan scanned a different set of machines on our network. From a
> quick look, there appears to have been little to no overlap (that is,
> machinea was not scanned from any two different sources).
>
> Looking at the times and the source of the scans, most of the scans
> lasted almost exactly 20 minutes -- this makes me think that it is
> likely automated. Sometimes there were pauses between the scans,
> sometimes there wasn't.
>
> The scans came from a variety of sites, but generally standard targets
> -- ISPs, Brazil, Korea, Austria, etc.
>
> -Larry