GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Off Topic - IP protocol scans [7:49358] posted 07/21/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


never mind - I've done a bit of testing, and it appears that the IP number
that is incrementing is a count of distinct events. I.e. if I do a test
ping, let it sit a while, and do another test ping, I see the number
increment.

I gotta get out more.



""Chuck""  wrote in message
news:200207211916.TAA32285@xxxxxxxxxxxxxxxxx
> I have a piece of equipment connected to the public internet for something
> I'm doing with a friend. It is protected by an access-list restricting the
> source address and the particular application.
>
> However, in monitoring the device, I am seeing what appear to be not only
> TCP port scans, but IP protocol scans. I.e. a series of inquiries using
> different successive IP protocol numbers.
>
> 17:43:26: datagramsize=48, IP 87: s=x.x.x.x (local), d=12.246.161.19, totl
> 17:43:26: datagramsize=48, IP 87: s=x.x.x.x (local), d=12.246.161.19 (Fast
> 17:43:26: datagramsize=70, IP 87: s=x.x.x.x (local), d=12.246.161.19 (Fast
> 17:43:32: datagramsize=48, IP 88: s=x.x.x.x (local), d=12.246.161.19,
totlen
> 56,
> 17:56:30: datagramsize=48, IP 90: s=x.x.x.x (local), d=61.37.239.23, totle
> 17:56:36: datagramsize=48, IP 91: s=x.x.x.x (local), d=61.37.239.23, totle
> ( this output is showing the reply my device is sending to the IP's in
> question. )
>
> at least, I am assuming that the IP XX = the IP protocol number, as
reported
> by the debug.
>
> Just wondering if one of you security gurus might shed some light here,
> seeing as how out of touch I seem to be. This one of the standard hacking
> procedures? Been around a while? new because so many entities are now
doing
> a lot more to crack down on TCP port scanning?
>
> I checked the various registries. The behavior is coming from several
> places, some Thailand, some Korea, some from customers of ATT.net
>
> Just looking to increase my awareness.
>
> thanks.
>
> Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49359&t=49358
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx