[nsp-sec] coordinated telnet scan of 149.163.0.0

Mon Feb 11 18:28:22 EST 2008

I agree.  We'll probably only see more of this as time goes on.  I just wanted to post the list in case somebody noticed a connection.

Looks like just SYN scanning so far.  They have not come back from the IPs I checked...yet.

Thanks,
David

-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
Sent: Monday, February 11, 2008 2:32 PM
To: Greenberg, David A; nsp-security at puck.nether.net
Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0

There are a lot of rate limiting type mitigations in effect that help
mitigate against repeated failed attempts from one ip by blacklisting
the ip the bruteforce attacks are coming from.

Breaking your attack into smaller chunks and distributing it makes sense
and may still allow you to bruteforce some percent of passwords without
getting blacklisted.

Do the scanning systems then come back and attempt to bruteforce or are
they JUST syn scanning?

RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac

> -----Original Message-----
> From: Greenberg, David A [mailto:dgreenbe at iu.edu]
> Sent: Monday, February 11, 2008 11:24 AM
> To: nsp-security at puck.nether.net
> Cc: Smith, Donald
> Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0
>
> I just mean how they split up the IP range.  Each scan seemed
> to know right where the previous scan left off.   I'm only
> dealing with flow level data, and I haven't dug too deeply
> yet, so I can't be any more specific at this point.  We see
> one IP scan entire ranges, but seeing a single port sweep
> spread amongst multiple sources is rare here.
>
> Thanks,
> David
>
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com]
> Sent: Monday, February 11, 2008 1:18 PM
> To: Greenberg, David A; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] coordinated telnet scan of 149.163.0.0
>
> David by coordinated do you mean they shared a common dictionary but
> used separate portions of that dictionary?
>
> We had reports of that type of coordination for ssh attacks last year.
> http://isc2.sans.org/diary.html?storyid=3529
>
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]))}
> Donald.Smith at qwest.com giac
>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080211/18cdd9b4/attachment-0001.sig>