RE: Strange "port scans" from a spoofed IP

["Keith.Morgan" <Keith.Morgan () Terradon com>]

I'm not sure where this may be coming from, or why, but I can say that it
indicates a problem.  I'm not sure of the target machine's situation,
posture, or any details, but, as a general rule, these packets should be
silently dropped.  There should be no response sent by your machine or
network to rfc1918 address space (eg, 192.168.0.0/16).  Perimeter firewalls
and upstream routers should silently drop private address space packets
arriving on external interfaces.
 

> -----Original Message-----
> From: Jon R. Kibler [mailto:Jon.Kibler () aset04 aset com]
> Sent: Monday, November 05, 2001 6:37 PM
> To: incidents () securityfocus com
> Subject: Strange "port scans" from a spoofed IP
>
>
> Earlier today we started noticing a rather strange "port 
> scan" from two different spoofed IP addresses. Both claim to 
> originate from port 80 and have a fixed destination based 
> upon originating IP, as follows:
>    192.168.19.82 has destination port 11709
>    192.168.19.81 has destination port 13607
>
> The "scans" repeat every 61 seconds. They have been running 
> non-stop since sometime late yesterday. Here is an example 
> from snoop of the traffic in question:
>
> 150182 15:20:41.94425 192.168.19.82 -> US TCP D=11709 S=80    
>  Ack=924387618 Seq=159745477 Len=1 Win=0
> 150183 15:20:41.94466 US -> 192.168.19.82 TCP D=80 S=11709 
> Rst Seq=924387618 Len=0 Win=0
> 150206 15:20:50.21349 192.168.19.81 -> US TCP D=13607 S=80    
>  Ack=915790864 Seq=2217637423 Len=1 Win=0
> 150207 15:20:50.21390 US -> 192.168.19.81 TCP D=80 S=13607 
> Rst Seq=915790864 Len=0 Win=0
> 150283 15:21:42.90447 192.168.19.82 -> US TCP D=11709 S=80    
>  Ack=924387618 Seq=159745477 Len=1 Win=0
> 150284 15:21:42.90488 US -> 192.168.19.82 TCP D=80 S=11709 
> Rst Seq=924387618 Len=0 Win=0
> 150311 15:21:51.13106 192.168.19.81 -> US TCP D=13607 S=80    
>  Ack=915790864 Seq=2217637423 Len=1 Win=0
> 150312 15:21:51.13147 US -> 192.168.19.81 TCP D=80 S=13607 
> Rst Seq=915790864 Len=0 Win=0
> 150395 15:22:44.10400 192.168.19.82 -> US TCP D=11709 S=80    
>  Ack=924387618 Seq=159745477 Len=1 Win=0
> 150396 15:22:44.10440 US -> 192.168.19.82 TCP D=80 S=11709 
> Rst Seq=924387618 Len=0 Win=0
> 150404 15:22:52.08212 192.168.19.81 -> US TCP D=13607 S=80    
>  Ack=915790864 Seq=2217637423 Len=1 Win=0
> 150405 15:22:52.08249 US -> 192.168.19.81 TCP D=80 S=13607 
> Rst Seq=915790864 Len=0 Win=0
> 150442 15:23:44.87234 192.168.19.82 -> US TCP D=11709 S=80    
>  Ack=924387618 Seq=159745477 Len=1 Win=0
> 150443 15:23:44.87276 US -> 192.168.19.82 TCP D=80 S=11709 
> Rst Seq=924387618 Len=0 Win=0
> 150488 15:23:53.03809 192.168.19.81 -> US TCP D=13607 S=80    
>  Ack=915790864 Seq=2217637423 Len=1 Win=0
> 150489 15:23:53.03850 US -> 192.168.19.81 TCP D=80 S=13607 
> Rst Seq=915790864 Len=0 Win=0
> 150763 15:24:45.75855 192.168.19.82 -> US TCP D=11709 S=80    
>  Ack=924387618 Seq=159745477 Len=1 Win=0
> 150764 15:24:45.75894 US -> 192.168.19.82 TCP D=80 S=11709 
> Rst Seq=924387618 Len=0 Win=0
> 150809 15:24:54.00191 192.168.19.81 -> US TCP D=13607 S=80    
>  Ack=915790864 Seq=2217637423 Len=1 Win=0
> 150810 15:24:54.00232 US -> 192.168.19.81 TCP D=80 S=13607 
> Rst Seq=915790864 Len=0 Win=0
>
>
> Has anyone else seen something similar? Since this is clearly 
> not a DOS attack, any idea what would be the purpose of such a scan?
>
> Thanks for any and all help/comments.
>
> Sincerely,
> Jon R. Kibler
> Systems Architect
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com