Folks,
 We have a strange situation occurring lately where we are getting some reports 
of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically 
configured for inbound traffic and do not emit outbound traffic unless for 
response. Specifically, these are ddos mitigation IP's so they are attacked 
fairly frequently. With this in mind, the last few days one of the IP's being 
reported has been under constant attack.

Here is an example report we received from AT&T:
04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26)
 (USI-amsxaid01)
04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09)
 (USI-amsxaid01)
04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53)
 (USI-amsxaid01)
04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40)
 (USI-amsxaid01)
04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37)
 (USI-amsxaid01)
04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29)
 (USI-amsxaid01)
04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] 
(total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45)
 (USI-amsxaid01)
------------------------
Report from DK*CERT:
If nothing else mentioned below, timezone is believed to be UTC+0200(CEST)
Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.128/25

Security logs:
#Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010
# Scan from x.x.x.x affecting at least
# 81 addresses targeting TCP:1024, TCP:3072.
#
------------------------
I have removed our IP and replaced it with x.x.x.x.  To be a bit more clear, 
this is a reverse-proxy IP address. This IP is in a NAT type configuration 
where it is sent back to filtering clusters. No outbound traffic is configured 
on these IP's except where requests / responses flow through it.

I know a year or two ago there was a bug in Cisco IOS that would report a sweep 
when extreme packet load occurred or a burst hit. At the time of this report we 
saw an attack burst to around 310,000PPS on this IP (inbound). Is it simply 
likely the networks reporting have several IP's being used in the attack and 
that is what they are seeing? That's what we originally thought but the port 
scans throw that theory off... Our security team has gone through all PCAPs 
during the mentioned time frames and we are not showing any sort of outbound 
scan traffic.

Any ideas why this would be showing as a sweep? Our IDS systems do not scan 
requesting IP's originating systems. Any help is appreciated, we're simply 
trying to get to the bottom of the reports.

Kevin


Reply via email to