Customer-facing ACLs

Justin Shore justin at justinshore.com
Sat Mar 8 18:27:37 UTC 2008


It varies widely.  I see some extremely slow scans (1 SYN every 2-5 
minutes).  This is what someone on the SANS ISC page mentioned I believe.

I've also seen scans last for up to 10 minutes.  The consistency of the 
speeds made me think that perhaps the scanning computer was on a slow link.

The worst scans are the ones that last a second or two and hit us with a 
SYN for every IP in our allocations.  That kind of scan and its flood of 
packets is the one that I don't think I can stop without some sort of QoS.

I've seen coordinated scans with everything from 2 to about a dozen 
different hosts scanning seemingly random IPs across our network.  I 
know it's coordinated though because together they hit every IP but 
never hit the same IP by more than one scanner.

I've seen scans that clearly learn where the accessible SSH daemons are, 
that then feed this info back to the puppet master so he can command a 
different compromised host (or hosts) to then handle the attacks.  I've 
also see a scanner first scan our network and then immediately start 
pounding on the accessible daemons.  Finally I've see the scanner stop 
its scan in mid-stream, pound on an accessible daemon for a while with a 
pre-defined set of userids and then continue on with the scans.

Clearly there's some variation in the scanning methods.

Justin

Frank Bulk wrote:
> The last few spam incidents I measured an outflow of about 2 messages per
> second.  Does anyone know how aggressive Telnet and SSH scanning is?  Even
> if it was greater, it's my guess there are many more hosts spewing spam than
> there are running abusive telnet and SSH scans.  




More information about the NANOG mailing list