Re: FTP Bounce scan

To: Dries Kimpe <dries@wina.rug.ac.be>
Cc: debian-security@lists.debian.org
Subject: Re: FTP Bounce scan
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: Sun, 20 Jan 2002 16:23:23 +0000
Message-id: <[🔎] 86n0z9m1ok.fsf@potato.vegetable.org.uk>
Reply-to: Tim Haynes <debian-reply@stirfried.vegetable.org.uk>
In-reply-to: <[🔎] Pine.LNX.4.21.0201201707530.27168-100000@wina.rug.ac.be> (Dries Kimpe's message of "Sun, 20 Jan 2002 17:16:33 +0100 (CET)")
References: <[🔎] Pine.LNX.4.21.0201201707530.27168-100000@wina.rug.ac.be>

Dries Kimpe <dries@wina.rug.ac.be> writes:

>   Today, I saw in the snort logs the following:
> (removed ip & date to get it in 78-col format)
>
> 193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:42940 -> ip:113 SYN 12****S* RESERVEDBITS
> 193.189.224.13:42941 -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS
[snip]
> 193.189.224.13:42967 -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:21 -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS
> 193.189.224.13:43074 -> ip:113 SYN 12****S* RESERVEDBITS
> 143.169.4.111:22 -> ip:22 SYNFIN ******SF 
> 143.169.4.111:4614 -> ip:22 SYN ******S* 
>
> Is this a so-called ftp-bounce scan? Because it starts every time with a
> connection from port 21, en next to a bunch of connections on higher
> ports. These came in bursts, each time for about one minute or so.

Looks like FTP to me, full-stop. It's just that you've not sorted out your
snort rules to cope with ECN yet, have you?

~Tim
-- 
Tell me where oh where has summer gone      | debian@stirfried.vegetable.org.uk
It hasn't come this year                    | http://piglet.is.dreaming.org
You always cry when swallows fly            |
With doubts in search of dreams             |

Reply to:

References:
- FTP Bounce scan
  - From: Dries Kimpe <dries@wina.rug.ac.be>

Prev by Date: FTP Bounce scan
Next by Date: Re: FTP Bounce scan
Previous by thread: FTP Bounce scan
Next by thread: Re: FTP Bounce scan
Index(es):
- Date
- Thread