Security Incidents mailing list archives

RE: CRv2 multiple scans from same source IP

From: "Gareth Hastings" <ghastings () sc rr com>
Date: Mon, 6 Aug 2001 05:29:00 -0400

CR II has fixed the IP scanning problem, that CR I had, it goes something
like this.

50% chance it will scan an IP in the same Class A network as itself
37.5% chance it will scan an IP in the same Class B network as itself
12.5% chance it will scan a random IP

in the last few days I've been racking up IDA attempts on my server. I've
currently had 443 attempts from 106 different hosts. Some hosts having hit
my machine as many as 24 times in only a few days.

Bored as I was, I thought I'd see how long it took my machine to scan its
own Class B network, I only did a ping scan using Nmap

# nmap -sP -n xx.xx.0.0/16 > my_class_b.log

and do you know how long that took ? Only 40 minutes. I'm not sure the Rate
that nmap scans at but I know CRv2 has a 10 second timeout on its connects.
So it can't really be that long before it comes around to your IP again.


-----Original Message-----
From: Chris Freeze [mailto:cfreeze () cfreeze com]
Sent: 05 August 2001 22:58
To: John Davidson
Cc: incidents () securityfocus com
Subject: Re: CRv2 multiple scans from same source IP


On Sun, 5 Aug 2001, John Davidson wrote:

My W2k IIS logs show 3 CRv2 scans from the same source IP within the same
minute.


Here everytime I get scanned, my Apache logs are showing a double hit.
Snort is also logging the two back-to-back attempts.  Another weird bit is
that some hosts are hitting me again as quickly as 45 minutes. I wonder if
some people are running injectors(c).  I've also noticed that I'm getting
hit by different hosts about every 2 mintutes.  I wonder if we have hit a
saturation point. Anyone thought about the total time for this to have
statistically scanned the entire IP address space?  Someone out there has
to be a statistician..



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

CRv2 multiple scans from same source IP John Davidson (Aug 05)
- Re: CRv2 multiple scans from same source IP Luc Pardon (Aug 05)
  - Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
- Re: CRv2 multiple scans from same source IP Chris Freeze (Aug 05)
  - RE: CRv2 multiple scans from same source IP Gareth Hastings (Aug 06)
  - Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
  - Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
    - RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
  - Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
    - Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
    - Re: CRv2 multiple scans from same source IP corecode (Aug 07)
  - Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)

(Thread continues...)