Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: UDP Port Sweep question

from [David Gillett] Network Security [Permanent Link]
Subject: RE: UDP Port Sweep question
Date: Wed, 29 Dec 2004 11:11:08 -0800 
  These port numbers are all in the range used by UDP-based versions
of traceroute....


-----Original Message-----
From: Billy Dodson [mailto:billy@pmm-i.com]
Sent: Wednesday, December 29, 2004 10:35 AM
To: dparker@bridonsecurity.com
Cc: incidents@securityfocus.com
Subject: RE: UDP Port Sweep question


Here is some more info regarding the port sweeps.  The port the client
is being hit on seems to vary.  The client is being hit on the same 8
port range from each IP port 33434-33460.  All 3 sensors from the 3
different clients show the same destination port range.  The 
sensors are
cisco IDS sensors and I am unsure as to how to get the actual packet
from the event.


-----Original Message-----
From: Don Parker [mailto:dparker@bridonsecurity.com] 
Sent: Tuesday, December 28, 2004 5:12 PM
To: incidents@securityfocus.com; 'Billy Dodson'
Subject: Re: UDP Port Sweep question

Hello Billy,

Might I suggest you post some of the packets here? It is hard to make
judgement
calls without something to look at. Just sanitize the ip's prior to
posting the
packets.

Cheers,

Don

--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------

On Tue, 28 Dec 2004 22:31 , 'Billy Dodson'
<CraftedPacket@securitynerds.org> sent:


I monitor 3 different sensors which are continuously pounded with

network

reconnaissance of all types.  These sensors all belong to financial
institutions.  One thing that jumped out at me are "UDP Port Sweeps"
events from about 15 different IP addresses which all belong 

to either
IBM

or Sequent (which was bought by IBM). I see these same IP addresses

doing

the same thing on all three sensors.  I have contacted the 

clients and

they do not deal with IBM or Sequent in any way. Are there legitimate

type

traffic
that would cause these events to fire?  It is odd to me that 

I see them
on

all 3 sensors for 3 different companies but all happen to be in the
financial industry. Thanks in advance for your input.

<<attachment: winmail.dat>>

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: UDP Port Sweep question, Billy Dodson
Next by Date:  Re: UDP Port Sweep question, Tim
Previous by Thread:  RE: UDP Port Sweep question, Billy Dodson
Next by Thread:  Re: UDP Port Sweep question, Tim
Indexes:  [Date] [Thread] [Top] [All Lists]