Results 1 to 4 of 4

Thread: Curious about Port Scan

  1. #1
    Junior Member
    Join Date
    Oct 2004
    Posts
    8

    Curious about Port Scan

    Hi All,
    Got a an interesting series of port scans picked up by my firewall - normally its the standard TCP ports coming from addresses on my subnet, but got a bunch of six sequential scans targetting UDP coming from IP's xxx.xxx.xxx.160 through to 165 - one after the other within about 8 mins.

    Im just curious as to what they are trying to accomplish or what the tactic is here as I rarely notice my UDP ports being scanned and have never seen this "sequential" scan before.

    Anyone know whats happening here or seen this before ?

    cheers
    M.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Hrm...

    Considering that a portscan from a spoofed address would be kinda useless to the attacker unless they were trying to DoS you, which isn't very likely with a UDP scan at all, I would think that one of these addresses is the real address, and that the rest are decoys to hide the attacker's real IP address. I have done this type of scan with nmap before.

    It may also be possible that they are scanning from several machines inside their network, which might also make sense because UDP scans are so slow. This would speed up the scan quite a bit.

    Well that's two possibilities, anyway.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Junior Member
    Join Date
    Oct 2004
    Posts
    8
    yeah good point. I might have thought a decoy nmap scan might be of more use if the decoys were slightly more remote than a few close neighbours though. Ah well still pretty cool.

    Did a whois out of interest and it comes up as being a pretty large american company.
    Someone must be playing with their toys

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    they are spoofed. Unless you have some major idiot scanning off of 5 public IP addresses. Any "large american company" would have internal IP addresses on nearly all of their desktops so you would only see 1 IP addresses. unless of course someone got on to 5 servers with public IP addresses, but then again what are the chances that they would be in perfect sequence.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •