Got a an interesting series of port scans picked up by my firewall - normally its the standard TCP ports coming from addresses on my subnet, but got a bunch of six sequential scans targetting UDP coming from IP's xxx.xxx.xxx.160 through to 165 - one after the other within about 8 mins.
Im just curious as to what they are trying to accomplish or what the tactic is here as I rarely notice my UDP ports being scanned and have never seen this "sequential" scan before.
Anyone know whats happening here or seen this before ?
May 4th, 2005, 03:57 PM
Considering that a portscan from a spoofed address would be kinda useless to the attacker unless they were trying to DoS you, which isn't very likely with a UDP scan at all, I would think that one of these addresses is the real address, and that the rest are decoys to hide the attacker's real IP address. I have done this type of scan with nmap before.
It may also be possible that they are scanning from several machines inside their network, which might also make sense because UDP scans are so slow. This would speed up the scan quite a bit.
Well that's two possibilities, anyway.
May 5th, 2005, 02:48 PM
yeah good point. I might have thought a decoy nmap scan might be of more use if the decoys were slightly more remote than a few close neighbours though. Ah well still pretty cool.
Did a whois out of interest and it comes up as being a pretty large american company.
Someone must be playing with their toys :)
May 5th, 2005, 07:07 PM
they are spoofed. Unless you have some major idiot scanning off of 5 public IP addresses. Any "large american company" would have internal IP addresses on nearly all of their desktops so you would only see 1 IP addresses. unless of course someone got on to 5 servers with public IP addresses, but then again what are the chances that they would be in perfect sequence.