[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FTP Bounce scan

Dries Kimpe <dries@wina.rug.ac.be> writes:

>   Today, I saw in the snort logs the following:
> (removed ip & date to get it in 78-col format)
> -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS
> -> ip:113 SYN 12****S* RESERVEDBITS
> -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS
> -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS
> -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS
> -> ip:113 SYN 12****S* RESERVEDBITS
> -> ip:22 SYNFIN ******SF 
> -> ip:22 SYN ******S* 
> Is this a so-called ftp-bounce scan? Because it starts every time with a
> connection from port 21, en next to a bunch of connections on higher
> ports. These came in bursts, each time for about one minute or so.

Looks like FTP to me, full-stop. It's just that you've not sorted out your
snort rules to cope with ECN yet, have you?

Tell me where oh where has summer gone      | debian@stirfried.vegetable.org.uk
It hasn't come this year                    | http://piglet.is.dreaming.org
You always cry when swallows fly            |
With doubts in search of dreams             |

Reply to: