The traffic "from" 88.208.0.0/18, 5.11.80.0/21, and 78.140.128.0/18 doesn't match the packet signatures for Masscan, ZMap, or any other well-known scanner. The traffic is likely spoofed.
__ *Troy Mursch* @bad_packets On Fri, Aug 16, 2019 at 3:28 PM Jared Smith <j...@vols.utk.edu> wrote: > I would think Shodan/Zmap/pick your multi-IP-block-scanning-tool would > portray similar behavior. > > Echoing Matt’s “probably shouldn’t worry” sentiment, this could just be > someone running an incantation of such tools for research or recreational > purposes. > > Best, > Jared > On Aug 16, 2019, 18:21 -0400, Matt Harris , wrote: > > On Fri, Aug 16, 2019 at 5:05 PM Jim Shankland <na...@shankland.org> wrote: > > 1. Rate seems too slow to do any actual damage (is anybody really > bothered by a few bad SYN packets per second per service, at this > point?); but > > > Common technique used by port scanners to evade detection as a DoS attack > by fw/ids/etc. > > 2. IPs/port combinations with actual open services are being targeted > (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs > with those services running), implying somebody checked for open > services first; > > > Or they're just checking if certain common ports are open with the > intention of later trying known exploits against those which are reachable > in order to attempt to compromise the hosts. Build the DB of reachable > hosts/ports now, come back with exploits later. > > 3. I'm seeing this in at least 2 locations, to addresses in different, > completely unrelated ASes, implying it may be pretty widespread. > > > Sounds like a relatively common pattern though. > > Is anybody else seeing the same thing? Any thoughts on what's going on? > Or should I just be ignoring this and getting on with the weekend? > > > I wouldn't worry too much about it unless you have reason to believe some > of the likely-forthcoming exploits may actually work. Of course, if that's > the case, you should fix them anyhow. > > Have a good weekend! > >
