North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Very peculiar Telnet probing (possibly spoofed?)

  • From: Chris Brenton
  • Date: Thu Sep 09 06:25:11 2004

On Thu, 2004-09-09 at 01:48, Jeff Kell wrote:
>
> I suspect but cannot prove 
> that the packets are being spoofed as we are dropping (not resetting) 
> the probes, yet they continue.  There are repeated probes from the same 
> IP address for about 15-20 minutes or more, then it moves along, but the 
> resulting router logs blocking them looks initially random (from SE Asia 
> sites). 

Could be an idle scan. If so, that would mean each of these sources are
just quiet hosts being leveraged by the real attacker.

Easiest way to tell is to return a SYN/ACK and look for TTL variances
between the original SYN and the resulting ACK. My experience has been
you all also see discrepancies in the IP ID. The SYN packets will be
non-predictable while the ACK packets will be predictable.

If it is an idle scan, the only way (I'm aware of) to identify the real
attacker is to work with the admin for the source IP. They'll see some
IP address probing the source IP at about the same interval you are
seeing the probes. _That_ source IP is the one you want to go after.

HTH,
Chris