[Snort-sigs] Odd scans from

Robert Wagner rwagner at ...447...
Tue Apr 23 12:27:25 EDT 2002

1) Thanks for the tip.
2) We have not been using IRC.  I know it looks like a typical syn-ack
response to a syn packet, but it cannot be - There isn't a server connected
at the ip in question.  

I agree that it appears to be IRCish traffic, but why the change in ports?

I believe someone has DDOS bots looking for traffic from this server that
only respond to an initial syn-ack, thus avoiding detection by a scanner
that would send out syn or syn-fin packet.  Who in their right mind would
suspect a syn-ack packet going to a high port like this?  I would contend
that this traffic would be ignored by 99.9% of the people monitoring IDS,
the rest would just ignore it because of the type of traffic.

I would still like to know if anyone is monitoring traffic above 1023 that
isn't originating from their network or going to their firewall.

The other posiblity is someone has spoofed our IP.  Although in doing so
they would not get any data back.  Maybe just trying to generate a lot of
noise for the IRC server?

-----Original Message-----
From: Matt Kettler [mailto:mkettler at ...189...]
Sent: Tuesday, April 23, 2002 1:59 PM
To: Robert Wagner; Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Odd scans from

1) this really should be on snort users, not snort-sigs. Please use the 
snort-users list next time you have a general question.

2) have you been using IRC?

Note that the packet you have logged is a syn-ack, which means it is (or 
claims to be) a response to a request for connect from your machine 
connecting to that server.

The IP that is "scanning" you is a IRC server.. see:

Host name: irc.tokyo.wide.ad.jp
IP address:
Alias(es): None

And look, a lot of this traffic is from port 6666/tcp on their end. From 
the snort.org ports DB:

  6666   tcp     irc-serv     internet relay chat server

and from IANA: (http://www.iana.org/assignments/port-numbers)

ircu            6665-6669/tcp  IRCU
ircu            6665-6669/udp  IRCU

Sounds like you're being "scanned' by your own internet activity.

At 01:01 PM 4/23/2002 -0500, Robert Wagner wrote:
>Odd scans from  Does anyone know what they are scanning for?
>I don't have a server running at myip.  I have heard this IP address has
>been doing a lot of scanning like this.  Slow scan to avoid detection.

More information about the Snort-sigs mailing list