[nsp-sec] coordinated telnet scan of 149.163.0.0
Greenberg, David A
dgreenbe at iu.edu
Mon Feb 11 13:23:47 EST 2008
I just mean how they split up the IP range. Each scan seemed to know right where the previous scan left off. I'm only dealing with flow level data, and I haven't dug too deeply yet, so I can't be any more specific at this point. We see one IP scan entire ranges, but seeing a single port sweep spread amongst multiple sources is rare here.
Thanks,
David
-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith at qwest.com]
Sent: Monday, February 11, 2008 1:18 PM
To: Greenberg, David A; nsp-security at puck.nether.net
Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0
David by coordinated do you mean they shared a common dictionary but
used separate portions of that dictionary?
We had reports of that type of coordination for ssh attacks last year.
http://isc2.sans.org/diary.html?storyid=3529
RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080211/8631842f/attachment-0001.sig>
More information about the nsp-security
mailing list