I believe "nmap" in combination with "proxy hunter" can produce these
results.
If the prober used proxy hunter to find "world accessable" proxies with
proxy hunter, they could then awk this list > a startup file for nmap,
which has the options to use multiple "source" addresses, specify ports to
probe, and also since nmap is open source a probe similar to the "ftp
proxy (bounce attack)" could be coded to use http proxies. (if it isn't
already by one of the numerous nmap projects listed at the bottom of
fyodors nmap page: http://www.insecure.org/nmap/index.html .)
btw, I think one of nmap's weaknesses may be that the "real" machine
originating the scan is identified among the "chaff" of the multiple host
ip's seen in the targets logfiles, though this may be ameilorated by the
use of proxies to forward the probes. Chances are good however that at
least one of the proxies, if they are proxies, is logging the real source
of the scan.
Why not get a copy of nmap and run it against your firewall, to see if you
can duplicate the symptoms of these probes.
spiff
On Mon, 11 Oct 1999, Petersen, Hans wrote:
> Here is an excerpt from the firewall log (Gauntlet):
>
> Oct 11 09:36:36 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.34:80
> to 199.117.205.35 on unserved port 3131
> Oct 11 09:36:44 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.123:80
>
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:45 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.233:80
> to 199.117.205.35 on unserved port 3154
> Oct 11 09:36:46 fw kernel : securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
>
> to 199.117.205.35 on unserved port 3153
> Oct 11 09:36:46 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.221:80
> to 199.117.205.35 on unserved port 3152
> Oct 11 09:36:49 fw kernel: securityalert: tcp if=de1 from xxx.xxx.xxx.63:80
> to 199.117.205.35 on unserved port 3157
>
> Multiple originating machines (82 in all), all coming from port 80, to our
> firewall (199.117.205.35) on random ports in the 1024+ range.
>
> Hope that clarifies what the connections look like. Any info on what this
> might be would be greatly appreciated.
>
> ~Hans
> --
> Hans B. Petersen - [EMAIL PROTECTED]
> Network Security Engineer - phone 303-581-5600
> SCC Communications Corp.
> ~o' Sed quis custodiet ipsos custodes? 'o~
>
> -----Original Message-----
> From: Jim Richards [mailto:[EMAIL PROTECTED]]
> Sent: Monday, October 11, 1999 3:01 PM
> To: 'Petersen, Hans '
> Subject: RE: Strange probes from port 80
>
>
> Forgive me if I misinterpreted, but your original post is worded a little
> confulsingly, but, is this perhaps seti@home?
>
> Jim Richards
> Sonic Foundry
>
> -----Original Message-----
> From: Petersen, Hans
> To: 'The Firewalls List'
> Sent: 10/11/99 12:27 PM
> Subject: Strange probes from port 80
>
> Hi all,
>
> we're seeing multiple connection attempts from multiple (80+) hosts on
> our
> firewall, all originating on port 80, going to ports 1024+ in a somewhat
> incremental order. The contact(s) happened 10-15 connections ever
> minute,
> for a 2 hour period of time. Most of the originating hosts are within
> the
> same netblock.
>
> Any of you ever seen this behavior before? Any help would be greatly
> appreciated, here or in e-mail directly to me.
>
> ~Hans
> --
> Hans B. Petersen - [EMAIL PROTECTED]
> Network Security Engineer - phone 303-581-5600
> SCC Communications Corporation
> ~o' Sed quis custodiet ipsos custodes? 'o~
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
