Security Incidents mailing list archives

Strange TCP Sweep to 0.0.0.0

From: "Geoff Poer" <gpoer () tick Telcom Arizona EDU>
Date: Fri, 9 Nov 2001 10:34:30 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our Cisco Secure IDS (that lives outside the firewall) is picking up
some strange traffic off one of our Netscreen Firewalls.  The Src
addresses are the un-trusted interface addresses assigned to the
Netscreen. Has any one seen something like this before? Is it a bug
or am I seeing something interesting?

Date Sensor Signature Sub Sig Description Severity Src Address Src
Port Dst Address Dst Port
2001-10-26 08:51:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 2028
0.0.0.0 0 
2001-10-26 08:55:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1610
0.0.0.0 0 
2001-10-26 09:17:24 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1100
0.0.0.0 0 
2001-10-26 09:21:20 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1058
0.0.0.0 0 
2001-10-26 09:23:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1707
0.0.0.0 0 
2001-10-26 09:25:23 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1133
0.0.0.0 0 
2001-10-26 09:27:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1959
0.0.0.0 0 
2001-10-26 10:33:21 3 3030 0 TCP SYN Host Sweep 2 my.net.com 1448
0.0.0.0 0
- --------Cut--------

(other address assigned to interface)
2001-11-02 09:24:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1886
0.0.0.0 0 
2001-11-02 09:54:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1197
0.0.0.0 0 
2001-11-02 10:48:23 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1779
0.0.0.0 0 
2001-11-02 11:29:24 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1152
0.0.0.0 0 
2001-11-02 11:49:20 3 3030 0 TCP SYN Host Sweep 2 my2.net.com 1286
0.0.0.0 0

What ever it is it is not terribly fast. The dates are inconsistent
in this email but they are actually occurring everyday with similar
frequency.

thanks,
Geoff

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO+wRgnJYBcIyrSGLEQJBNgCg4BuqFioMAitq5Lk+3qTiLYk6lbwAn33p
iesT5XGxthCxSARQdCQYKpaL
=Zj26
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange TCP Sweep to 0.0.0.0 Geoff Poer (Nov 09)
- <Possible follow-ups>
- Re: Strange TCP Sweep to 0.0.0.0 jared mc (Nov 13)