My curiosity is getting to me.....

[Sgt_B]

Nmap and its decoy lists. This is probably the culprit. I can send a scan to a target, and set a decoy list as well. This sends my scan along with a number of spoofed IP's that show up in the firewall's or ids's log files. As an admin, looking at the logs show that 20 different IP's are doing the same scan...which one is the real attacker?
I could set a decoy list for 10.1.1.1, 10.1.1.2, etc, etc.
I'm sure this is, or something like this, is the issue.
Just my theory anyway....

[Tedob1]

do you have a proxy listening on 8080?

is this a watchguard log?

i suggest you drop incomming packets form private addresses at the router

[Sgt_B]

Originally posted here by Tedob1
i suggest you drop incomming packets form private addresses at the router

Doesn't that go without saying?

[souleman]

Sgt_B, Scarry enough, it doesn't. Thats why firewalking works so well. To many admins do not set up their routers properly, because they don't even think about that.

[Tiger Shark]

Sgt_B: Ok.... I'm with you on the principle.... I even went back and took a look at the logs. On only one occasion in the last 24 hours has there been a public address SYN or whatever in amongst the private address events. Without the public address the nmap scan event would be useless to a footprinter - but with there being only one I put it down to coincidence and that address showed up in other logs and proved to be valid activity. To further the point though why would one hide their valid scan amongst a pack of decoys that are sooooo obvious - it's like hiding a red ball in a pile of green ones - someone is going to see it really easily? I would really buy into your thoughts if the activity was coming from public addresses, in fact I would say you are absolutely correct but in this situation it's not logical - and I'm a firm believer in logic.....

Tedob1: Yes, Watchguard. No proxies of any kind. Dropping private subnet packets at the firewall is default on the firewall. Additionally I have very tight ingress and egress filters that allow only required services in and out sometimes limited to only specific remote addresses. Those were simply examples so the port numbers are not truly representative there tends to always be a readily recognizable port at the source or destination end of every event and they are often the same at both.

Actually I'm really rather glad that someone hasn't just popped up and said "Oh, that's so-and-so"..... I'd have felt quite the fool......

[Sgt_B]

Tiger: The red ball in a pile of green ones is not a correct analogy. I might not have described the feature properly. In the decoy list, you can specify publis as well as private IP addresses. So If I sent 10 scans to your machine...all with public addresses, that actually belonged to ther people.....well....find the red ball then! You can also specify your IP to scan at the end of the decoys. I've heard of some IDS's that will stop alerting after 5 or 6 of the same scan. This is just info I've heard, and have no resources to back it up though.
This in no way helps you, I just wanted to clarify a little...
Ok back on subject,
I agree, that my previous post is invalid since no other scans are showing up. I'm quite stumped as to who or what is doing this. The only thing that I can think of is comparing your logs from the IDS and the firewall. Are there any inconsistencies. Just switched on paranoid mode. Perhaps someone has gotten to your firewall logs and has done some tampering either removing their scans from the list, or covering their tracks by switching to a private IP address in the logs. Lame theory, but the only one I got.
Either that or a misconfigured router/computer on the internet somewhere. <--A bit more probable.

Either way, good luck, and let us know if you find the source!

[qwerty_smith]

that is an odd one.

i appears that all of the incoming IP addresses are reserved for private networks, so if i have this right, that network address should only be on the inside of a network and the IP coming to you should include the IP of the router or proxy that it is going through. routers dont use reserved IP addresses so they are pretty much null on the internet. the similar addresses that you are getting may be a router or proxy that these addresses are coming from. so whatever is coming to you, it may be coming from the inside of another LAN.