Solved

Scanners changing IPs

Posted on 2003-12-01
12
513 Views
Last Modified: 2010-04-11
When I look at our IDS summaries, I notice many people who scan our netblock change their IP address at very close intervals.  I am 99% sure that it is the same person scanning because of the other identifying information in the report, but I want to know how they change their IP in a less than one second in some cases.  I have read about the features of some of the popular scanning tools like nessus and nmap, but am unable to see where those tools do that.  Thanks,
Kat
0
Comment
Question by:kat120
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 2

Expert Comment

by:joele23
ID: 9854469
Is it possible could be the the 'identifying information' is contained in the scanning tool that multiple users could be running against your network?

It is possible to use proxies. The attacker could have made a perl script that goes through a list of proxies, maybe for every 10 ports he switches the proxy that he uses. There are sites that have hundreds of proxies listed so he could have this list all ready to go before he begins scanning you network.

Or the attacker could intentionally be scanning you with a bogus IP's, which he could randomly generate with libnet. Then he also scan your network with his real IP. The thought being you have now seen hundreds of IP's and which one do you follow up on.

 
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9854652
Yeah, could be bogus IPs, or stuck in an ISP that is actually doing it to him.

My guess, is that you are ready to take step of attempting to identify an ISP that you can personally deal with to shut them down if they are intrusive, and not simply a general network mapping tool (that should have long interval between scan) I think it is pointless to try to take time here to teach people how to be evasive or use subterfuge.

have you tried to identify the source of these scans? Are you concerned of them attacking or snooping where they do not belong? Turn them in. To your own ISP
0
 
LVL 1

Expert Comment

by:Arrummzen
ID: 9854842
Method one - When able to sniff the internal network. When you can sniff the interneal network, you need not use your true IP, it could be some guy in a van in your parking lot, with a wireless sniffer, and who also has a PC at home. He could use the popular *IX command ifconfig to change the IP on his home system (or a pf_packet socket in a custom sniffer) to send connection requests from fake IPs, although the reponce would never get back to his home system, the laptop sniffing the wireless network can see the responce and determine if the port is open. This makes it almost impossible to detect. Do you have a WLAN (wireless Local area network).

The information could also be leaked by your IDS. Example:
He has comprimised the home PC of an administrator who recieves email updates from the IDS, he could then determine what the effect of each packet is by the NIDs, via this method he can gather information about internal IPs, hostnames, services etc.

If he is sending the packets from a fake IP and recieving the results via a 100% passive sniffer traceing him is not possible. I am not aware of any tools that do this that are publicly available, however I do have a crude implementation. Basicly you use ifconfig to change the IP on the remote system (the one that sends the packet) and launch a nmap scan on a small port range, then use ifconfig to change it agine. Then you do a little ngreping or save a packet log and anazlize it with another tool like ethereal and you have your results. Not traceable. Note that he has to first be able to listen in on the WLAN, but this is not hard. Any skilled attacker can bypass WEP.

I doubt its a proxy, but its possible. He could have rooted a bunch of PCs and now be using them as his proxys.

Thank you for your time,
Arrummzen
0
 
LVL 1

Expert Comment

by:Arrummzen
ID: 9854858
Replace 'sniffer' in "(or a pf_packet socket in a custom sniffer)" with scanner.

I need to be able to edit my comments.

Thank you for your time,
Arrummzen
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9858138
If one had an adequate piece of a netblock, rotating source addresses could be a valid IDS evasion tactic, and wouldn't be difficult to script. Can you post a snippet?
0
 
LVL 2

Author Comment

by:kat120
ID: 9858909
Thanks for all of your comments.  I am not interested in reporting the scanners to their ISP or our ISP, rather I am just trying to learn motivation and how they do some of the things they do.  Here is an example of what I am talking about:

2003/11/24 21:02:09 217.75.55.56 debica-217.75.55.56.debica55.ptc.pl Poland (unknown) Multiple Port Scan 192.xxx.xxx.xxx Network of  Telekomunikacja Debicka S.A. - internet and telephone service provider  serves customers near Debica-city 24 ports, 23 hosts

2003/11/24 22:05:45 217.75.55.93 debica-217.75.55.93.debica55.ptc.pl Poland (unknown) Multiple Port Scan 192.xxx.xxx.xxx Network of  Telekomunikacja Debicka S.A. - internet and telephone service provider  serves customers near Debica-city 6 ports, 6 hosts

2003/11/24 22:10:18 217.75.55.100 debica-217.75.55.100.debica55.ptc.pl Poland (unknown) Multiple Port Scan 192.xxx.xxx.xxx Network of  Telekomunikacja Debicka S.A. - internet and telephone service provider  serves customers near Debica-city 21 ports, 19 hosts

In this particular snippet, Mr. Poland guy changed his IP every few minutes, but I have seen where it changes every few seconds or even fractions of seconds.  It is *possible* that it is a ring of kids, each with their own computers and IPs, but there are too many different IPs that to make that logical.  
And another question for those who might engage in this sort of activity- why do they keep coming back day after day if they aren't finding anything.  I am confident that they are not penetrating the firewall, so my only guess is that they have this netblock programmed into their scanner and they are plugging away every day until they hit every host?  
Thanks for your comments,
Kat
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:chicagoan
ID: 9862129
Looks like an !DS evasion technique to me. Change source address, don't hit too many hosts at a time, though 19 seems like more than I'd go after at once, that number seems bound to trip IDS. Did you post this on neohapsis?

BTW  - this subnet looks like a real playground:
http://isc.sans.org/source_report.html?order=&subnet=217
0
 
LVL 2

Author Comment

by:kat120
ID: 9862591
No I only posted here.  Like I said I am mainly interested in finding out how someone changes their IP so frequently.  I am not the admin for the system, I am in a sort of "analyst" role wherein I look at the overall picture rather than actually managing computer security for the company.
Kat
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9866327
LOL, this person isn't doing anything special to cause this to happen. He is behind a firewall or router that is making use of NAT(Network Address Translation). This should be apparent considering all of the IP's are coming from the same Class C subnet. This person is scanning from a PC that has a private address. When this person sends out his scan his private IP has to be translated to one that is public so that it can route over the Internet. This person is on a network which has a pool of public IP's to use for NAT purposes and when a request is made to retrieve info from the Internet is uses an IP from the pool that is available. It's not always going to be the same IP as other people are also on the network using the Internet.

If he were truly spoofing you would see totally different IP's and host names not ones pointed back to the same subnet for easy tracing.

Reporting this person to their ISP wouldn't even make it further then email you send as scanning isn't illegal for one thing and for another this person in obviously in Poland.
0
 
LVL 18

Assisted Solution

by:chicagoan
chicagoan earned 23 total points
ID: 9866464
generally nat will keep your public address assignment for whatever the timeout period is set on the router, changing the external address every few seconds isn't a behavior I'd seen.
0
 
LVL 9

Accepted Solution

by:
TooKoolKris earned 60 total points
ID: 9867039
This is true when you have a TCP session established but this isn't the case with scanning. It's done with ICMP, which doesn't create and hold a session it simply echoes a reply. So with each scan (ping) it is very possible and especially on networks with a lot of hosts to have multiple IPs from one host. I've seen it many of times as I've managed some pretty big networks it's not uncommon at all and the larger your public IP pool the more it will take place.
0
 
LVL 2

Author Comment

by:kat120
ID: 9867348
Thank you very much- that is what I wanted to know and the ICMP thing makes sense.
Kat
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now