[nsp-sec] coordinated telnet scan of 149.163.0.0

Smith, Donald Donald.Smith at qwest.com
Mon Feb 11 14:31:32 EST 2008 

There are a lot of rate limiting type mitigations in effect that help
mitigate against repeated failed attempts from one ip by blacklisting
the ip the bruteforce attacks are coming from.

Breaking your attack into smaller chunks and distributing it makes sense
and may still allow you to bruteforce some percent of passwords without
getting blacklisted.

Do the scanning systems then come back and attempt to bruteforce or are
they JUST syn scanning?



RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Greenberg, David A [mailto:dgreenbe at iu.edu] 
> Sent: Monday, February 11, 2008 11:24 AM
> To: nsp-security at puck.nether.net
> Cc: Smith, Donald
> Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0
> 
> I just mean how they split up the IP range.  Each scan seemed 
> to know right where the previous scan left off.   I'm only 
> dealing with flow level data, and I haven't dug too deeply 
> yet, so I can't be any more specific at this point.  We see 
> one IP scan entire ranges, but seeing a single port sweep 
> spread amongst multiple sources is rare here.
> 
> Thanks,
> David
> 
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
> Sent: Monday, February 11, 2008 1:18 PM
> To: Greenberg, David A; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0
> 
> David by coordinated do you mean they shared a common dictionary but
> used separate portions of that dictionary?
> 
> We had reports of that type of coordination for ssh attacks last year.
> http://isc2.sans.org/diary.html?storyid=3529
> 
> 
> RM=for(1)
> {manage_risk(identify_risk(product[i++]))}
> Donald.Smith at qwest.com giac
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list