How to report 38 port scans in 1 week from 7.12.12.16 (part of nic.mil)?

Discussion in 'Computer Security' started by Muzzy, Mar 24, 2006.

  1. Muzzy

    Muzzy Guest

    Hi folks,

    I know that getting port scanned is nothing unusual but I've gotten
    scanned 38 times in the last week from this one IP (7.12.12.16). A
    whois reports the IP as belonging to DoD Network Information Center in
    Columbus Ohio.

    I send an e-mail to the contact in the whois record asking them to take
    action after the first day of active scans (20 scans).

    Any suggestions as to how one would report this and who to report this
    to?

    TIA

    Muzzy
    Muzzy, Mar 24, 2006
    #1
    1. Advertising

  2. Muzzy

    Guest

    It could be forged scans. Are these TCP or UDP scans? If TCP - are TCP
    connections established?

    You should capture some packets. They might be needed if the case is
    serious...

    Kind regards
    Ludovic Joly
    , Mar 24, 2006
    #2
    1. Advertising

  3. Muzzy

    Guest

    I forgot to mention: another thread reports similar action on
    comp.security.misc...
    , Mar 24, 2006
    #3
  4. Muzzy

    Muzzy Guest

    > It could be forged scans. Are these TCP or UDP scans? If TCP - are TCP
    > connections established?
    >
    > You should capture some packets. They might be needed if the case is
    > serious...
    >
    > Kind regards
    > Ludovic Joly


    Thanks for the reply,

    These are UDP scans. I don't know how to capture packets, I guess I'll
    have some reading to do on that. I'll check the other thread you
    mentioned as-well.

    BTW, if you can give some hints as to where I could get info on
    capturing packets in a WinXP environment it would be much appreciated
    (cut down filtering through search results).

    Thanks again.

    Cheers,

    Muzzy
    Muzzy, Mar 24, 2006
    #4
  5. Muzzy

    Guest

    UDP scans - like in the other thread... It might be forged scans.

    You can capture network traffic with ethereal.

    Kind regards
    Ludovic Joly
    , Mar 24, 2006
    #5
  6. Muzzy

    Muzzy Guest

    > UDP scans - like in the other thread... It might be forged scans.
    >
    > You can capture network traffic with ethereal.
    >
    > Kind regards
    > Ludovic Joly


    Thank you very much. I'll try that appplication.
    I also looked at the other thread and I guess it is a forged scan.... I
    just hope that I can figure out where it is coming from (curiosity and
    it will be a nice learning experience).

    Thanks again.

    Muzzy
    Muzzy, Mar 24, 2006
    #6
  7. Muzzy

    Moe Trin Guest

    On Fri, 24 Mar 2006, in the Usenet newsgroup alt.computer.security, in article
    <>, Muzzy wrote:

    >I know that getting port scanned is nothing unusual but I've gotten
    >scanned 38 times in the last week from this one IP (7.12.12.16). A
    >whois reports the IP as belonging to DoD Network Information Center in
    >Columbus Ohio.


    No, that's a mis-interpretation of the data. This Internet thingy was
    developed by DARPA in 1969, and the whois data reflects this. If you
    look at the current IPv4 address space
    http://www.iana.org/assignments/ipv4-address-space, you'll discover
    that network 7 has been listed as "Reserved". Further, if you attempt
    a traceroute, ping, or ANY network connection to any host in that
    network, the first router that has it's head out of it's ass will
    tell you that you can't get there from here.

    What you are seeing is your dumb ISP who doesn't feel that RFCs need to
    be complied with unless they are listed as "STANDARD", and a mere "BEST
    CURRENT PRACTICE" is crap that "the other guy" needs to follow, but
    not them.

    2827 Network Ingress Filtering: Defeating Denial of Service Attacks
    which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
    2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
    RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)


    3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
    March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
    BCP0084) (Status: BEST CURRENT PRACTICE)

    >I send an e-mail to the contact in the whois record asking them to take
    >action after the first day of active scans (20 scans).


    No - they aren't going to do anything because they are not the problem.
    A spammer is spoofing the address - if you sniffed the packet, you'd find
    out what site is being spamvertised.

    >Any suggestions as to how one would report this and who to report this
    >to?


    Bitch at your incompetent ISP - and refer them to RFC2026, RFC2119, and
    the two documents above (RFC2827 and RFC3704). For what it's worth, we
    use port translation on our firewalls (both within the company and at
    the perimeters) to move any UDP traffic we generate (basically DNS queries)
    out of the range 1025 - 1050ish so that there can be no valid incoming
    traffic to those ports. Then our upstream can silently drop the packets
    destined for our addresses in that port range - saving as much as a half
    Megabyte of bandwidth per IP address per day. When you have (example) a
    /16 (255.255.0.0) network, that's nearly 33 Gigabyte of garbage dropped
    every day.

    Old guy
    Moe Trin, Mar 24, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Drake

    Sick of port scans

    James Drake, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    426
    -= Hawk =-
    Apr 12, 2004
  2. Johnatthon

    Wireless NIC & Wired NIC Bridging

    Johnatthon, May 2, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    910
    Johnatthon
    May 2, 2006
  3. =?Utf-8?B?R0dpbk5K?=

    XP - Allow wired NIC to use the wireless NIC (packet forwarding)

    =?Utf-8?B?R0dpbk5K?=, Jul 14, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    730
    =?Utf-8?B?R0dpbk5K?=
    Jul 14, 2006
  4. Daniel Damlin

    scans on port 1910, why?

    Daniel Damlin, Jan 27, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    465
    Daniel Damlin
    Jan 27, 2004
  5. Herman

    MIL cut-off...

    Herman, Oct 3, 2007, in forum: UK VOIP
    Replies:
    2
    Views:
    515
    Sinna
    Oct 3, 2007
Loading...

Share This Page