[nsp-sec] tcp/23 increase

Maurizio Molina Maurizio.Molina at dante.net
Fri Jan 15 09:46:00 EST 2010 

Hi all, 
I confirma thah also across our netwok (AS 20965) we saw these TCP SYN scans on port 23 with 60 bytes length.
There appears to be quite a few scanners involved. What we noted is that each od the scanner appears from 1 to 10 times at most.
It means that (sice we use 1/100 sampling) each scanner does not scan more than a few tenths of targets. Quite stealth, I vould say..

MAurizio

-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
Sent: 14 January 2010 20:55
To: 'Greenberg, David A'; 'NSP-SEC List'
Subject: Re: [nsp-sec] tcp/23 increase

----------- nsp-security Confidential --------

Thanks David, I confirmed 31 out of the 34 hosts you showed for as209 were scanning for open telnet services across the net. So your report is verified:)

Additionally while looking at the netflow I saw some unusual patterns in the scanning.
The source port is pretty low. Something like 2k-4k (maybe 5k?) and the SYN packets are 60bytes long.
That implies options. In normal traffic the most common syn I see is 48 bytes long, 52 isn't very unusual, 40 happens but not very often any more except in ddos attacks;)
I don't think I have ever seen a 60byte syn before.




(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Greenberg, David A
> Sent: Wednesday, January 13, 2010 2:02 PM
> To: NSP-SEC List
> Subject: [nsp-sec] tcp/23 increase
>
> ----------- nsp-security Confidential --------
>
>

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list