On Sat, 08 Apr 2006 02:18:40 -0000, [EMAIL PROTECTED] said: > My router logs from the 28-03-2006 show a very strange sequence of port > attempts. > > Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1035 - [DOS] > Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1033 - [DOS] > Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1035 - [DOS] > Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1033 - [DOS] > Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1034 - [DOS] > Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1035 - [DOS] > Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1035 - [DOS] > Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1027 - [DOS] > Wed, 2006-03-29 09:58:11 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1035 - [DOS] > Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,139 - [DOS] > Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 > Destination:xx.xx.xx.xx,1031 - [DOS]
> Obviously this is not correct, but strange that the source IP should be
> masquerading as a DoD IP.
Based on the very low packet rate, my first guess is that somebody is doing an
'nmap idle scan' of your box (and they specified the 'stealth' mode that takes
multiple days to do the scan to fly under the wire of most rate-based IDS
triggers).
>From the nmap man page:
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows for a truly blind TCP
port scan of the target (meaning no packets are sent to the tar-
get from your real IP address). Instead, a unique side-channel
attack exploits predictable "IP fragmentation ID" sequence gen-
eration on the zombie host to glean information about the open
ports on the target. IDS systems will display the scan as com-
ing from the zombie machine you specify (which must be up and
meet certain criteria). I wrote an informal paper about this
technique at http://www.insecure.org/nmap/idlescan.html .
Besides being extraordinarily stealthy (due to its blind
nature), this scan type permits mapping out IP-based trust rela-
tionships between machines. The port listing shows open ports
from the perspective of the zombie host. So you can try scan-
ning a target using various zombies that you think might be
trusted (via router/packet filter rules). Obviously this is
crucial information when prioritizing attack targets. Other-
wise, you penetration testers might have to expend considerable
resources "owning" an intermediate system, only to find out that
its IP isn't even trusted by the target host/network you are
ultimately after.
pgpkQwAFBUyWD.pgp
Description: PGP signature
