[Snort-users] 17203 portscan alerts in 23 hours from same IP

Matt Kettler mkettler at ...4108...
Wed Jul 10 14:51:10 EDT 2002

That is a bit on the strange side, I guess another possibility is that 
someone (not very bright) is attempting to syn-flood DOS citibank.com and 
is spoofing your IP as a source. A large site like citibank likely has some 
form of synflood protection, and they could just be spewing resets out to 
the ip's generating the syn's (even if they are forged).

I'm also pretty skeptical of any ill intent of the packets arriving at your 
network since they have the reset and fin bits set. You can't do any kind 
of useful portscan that way (one or two of them might be useful in an OS 
fingerprint, but not floods of them), it's not a good way to do an exploit, 
and they don't look right for any kind of ISN guessing DoS attack either 
since all the ack fields are invalid.

At one point in time I had some IPs that were part of a class A network 
that "hax0rs" would spoof when flooding people and I'd get floods of ICMP 
source quench messages. I didn't log floods of resets at the time, but it 
wouldn't surprise me if they came in.

In any event you'd have to be pretty important to believe that anyone who 
has control of citibank's main webserver would use it to attack your 
network. Unless the data contained on your network has a potential value 
measured in the billions of dollars they've already got a much more 
interesting target in the palm of their hands. Hacking into citibank's 
webserver and using it to attack the network of the National Center for 
Education in Maternal and Child Health strikes me as a bit like stealing an 
destroyer from the Navy and using it to knock over a lemonade stand.

I might consider running a tcpdump from your snort box and see if you're 
originating any traffic or if it's just a pile of resets coming in:

tcpdump -i <appropriate interface name> host

If it's just a pile of resets coming in, I'd blow it off as side effects of 
some other bozo attacking citibank and forging your IPs as the source. And 
no, you're not going to be able to track who the other bozo is, citibank 
might be able to with a lot of effort and help from other ISPs but nobody 
is going to care enough to go to that kind of effort since it's not heavy 
enough to cause problems.

Welcome to the internet, where 500 attacks/probes per day per IP is not an 
unrealistic figure.

At 05:06 PM 7/10/2002 -0400, Jon Quiros wrote:
>Thanks for the reply.  It started up again at 2:30 and continues, now 
>scanning lower ports (i've got about 19,000 events now).
>The user of this computer has been away from her desk since about 11am 
>this morning so I'm really doubting it's her end that's triggering it.  No 
>adware, no open web browser.
>here's another snippet of the portscan log:
>Jul 10 16:08:50 -> one.of.my.users:1544 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1545 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1484 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1485 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1493 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1489 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1498 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1504 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1502 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1514 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1507 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1517 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1523 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1524 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1527 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1526 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1531 INVALIDACK 
>Jul 10 16:08:50 -> one.of.my.users:1530 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1532 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1533 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1538 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1539 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1544 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1540 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1545 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1485 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1484 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1489 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1493 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1498 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1502 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1504 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1507 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1514 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1517 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1523 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1524 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1527 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1526 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1531 INVALIDACK 
>Jul 10 16:10:46 -> one.of.my.users:1530 INVALIDACK 
>Jon Quirós
>Network/Systems Administrator
>National Center for Education in Maternal and Child Health
>Georgetown University
>2000 15th St N, Suite 701
>Arlington, Va 22201
>Ph:  (703)524-7802
>Fax: (703)524-9335
>On Wednesday, July 10, 2002 4:37 PM, Matt Kettler <mkettler at ...4108...> 
> >Perhaps the citibank webpage has a gif-image which reloads at regular
> >intervals? In that case all she'd need to do is leave the browser open, and
> >those kinds of reloading images are pretty common.
> >
> >It strikes me as highly absurd to consider reset/fin packets coming from
> >port 80 on a valid webserver to be a portscan of any sort. Sure webservers
> >get knocked over and used to attack others sometimes, but very rarely do
> >those scans originate from port 80 (since they'd have to shut the webserver
> >down) and rarely do they consist of ARF ("close connection and stop talking
> >to me, don't even acknowledge the close") type packets at regular intervals
> >to normal client ports. ARF isn't exactly a very useful combination of
> >flags for portscanning AFAIK.
> >
> >
> >I think the appropriate question to ask here is "why was my user's machine
> >trying to contact citibank's website so frequently" rather than "why was
> >citibank scanning me", and I think the answer is that someone had a couple
> >of pages with self-refreshing images open and left the browser
> >running.
> >
> >
> >At 02:54 PM 7/10/2002 -0400, Jon Quiros wrote:
> >>someone that replied off-list wrote this:
> >>
> >>"Looks to me like your source and dest IPs are showing up backwards. It is
> >>not a scan, but merely the random source port 1024 incrementing with each
> >>connection. Your end user must be doing a lot of on-line banking with
> >>Citibank I would say."
> >>
> >>This would make perfect sense to me, except i can't envision her staying
> >>over night doing online banking stuff, or any program running in the
> >>bkgrnd following the same pattern over and over again
> >>
> >>Jon Q
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by:ThinkGeek
> >Two, two, TWO treats in one.
> >http://thinkgeek.com/sf
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >

More information about the Snort-users mailing list