On 12/23/14, 15:41, Mouse wrote:
* Rapid7 has joined the scanning party (many addresses including
71.6.216.62). They also have the strange ICMP unreachable behavior,
and they are also just doing READVAR commands.
This sounds suspiciously like DoS source hiding. While the "many
addresses" part argues against that, the ICMP unreachables argue for
it. (At least, if they're port unreachables. Are they? Or are they
net unreachables, host unreachables, what?)
I wondered about that as well. The actual ICMP is 3/3 (Destination
Unreachable/Port Unreachable). I *suspect* that their scanning code
operates as follows:
* Send out packets using raw ip. The TTL on one packet when it got to me
is 236. (= 255 - 19)
* The response packet is generated and transmitted with TTL 60. It gets
back to the OS and is bounced as the local port is not a genuine local port.
* The ICMP that comes back has TTL 45 (= 64 - 19). The inner packet
(which is my response) has ttl 41 (=60 - 19)
* I expect that the scanner is capturing the return packets using
tcpdump, libpcap or some other monitoring tool.
This is circumstantial evidence that the person sending the scans, and
the IP (185.35.62.106) are both 19 hops away.
Philip
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
