[Snort-sigs] Odd scans from 126.96.36.199
rwagner at ...447...
Tue Apr 23 12:27:25 EDT 2002
1) Thanks for the tip.
2) We have not been using IRC. I know it looks like a typical syn-ack
response to a syn packet, but it cannot be - There isn't a server connected
at the ip in question.
I agree that it appears to be IRCish traffic, but why the change in ports?
I believe someone has DDOS bots looking for traffic from this server that
only respond to an initial syn-ack, thus avoiding detection by a scanner
that would send out syn or syn-fin packet. Who in their right mind would
suspect a syn-ack packet going to a high port like this? I would contend
that this traffic would be ignored by 99.9% of the people monitoring IDS,
the rest would just ignore it because of the type of traffic.
I would still like to know if anyone is monitoring traffic above 1023 that
isn't originating from their network or going to their firewall.
The other posiblity is someone has spoofed our IP. Although in doing so
they would not get any data back. Maybe just trying to generate a lot of
noise for the IRC server?
From: Matt Kettler [mailto:mkettler at ...189...]
Sent: Tuesday, April 23, 2002 1:59 PM
To: Robert Wagner; Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Odd scans from 188.8.131.52
1) this really should be on snort users, not snort-sigs. Please use the
snort-users list next time you have a general question.
2) have you been using IRC?
Note that the packet you have logged is a syn-ack, which means it is (or
claims to be) a response to a request for connect from your machine
connecting to that server.
The IP that is "scanning" you is a IRC server.. see:
Host name: irc.tokyo.wide.ad.jp
IP address: 184.108.40.206
And look, a lot of this traffic is from port 6666/tcp on their end. From
the snort.org ports DB:
6666 tcp irc-serv internet relay chat server
and from IANA: (http://www.iana.org/assignments/port-numbers)
ircu 6665-6669/tcp IRCU
ircu 6665-6669/udp IRCU
Sounds like you're being "scanned' by your own internet activity.
At 01:01 PM 4/23/2002 -0500, Robert Wagner wrote:
>Odd scans from 220.127.116.11. Does anyone know what they are scanning for?
>I don't have a server running at myip. I have heard this IP address has
>been doing a lot of scanning like this. Slow scan to avoid detection.
More information about the Snort-sigs