reconnaissance had been done or it hadn't been done well.

One theory concluded this was from one host that was just spoofing source IPs. In the preceding scan output that was executed with the TCPdump –vv option, (this is the reason you see the additional information in parenthesis), the TTL value is displayed. The –vv option also displays a field known as the IP identification number that appears as "id #." If this activity were all from one spoofed source IP, the arriving TTL value should have remained relatively constant unless it was being crafted.

When traceroutes were attempted back to many of the source IP addresses, the hop counts to get from my site back to the alleged source IP appeared credible. If you can estimate the initial TTL assigned by the source IP and figure out the difference between that and the arriving TTL, you can approximate the hop counts. The difficulty is guessing the initial TTL. If you look at the chart found at www.honeynet.org/papers/finger/traces.txt, most times you can figure out a reasonable initial TTL.

Not only were the hop counts believable, but all the source IPs appeared to be alive and pingable, something not typically found with randomly pirated source IPs. Finally, in the preceding scan, notice that the final scanning IP, 1.1.1.1, has different TCP options (nop, nop, sackOK) from the other records. This points more to the source's hosts being genuinely different and real, rather than a crafter taking the time to artificially introduce these differences.

In conjunction with a SANS call for help in determining the cause of these scans, a very astute network administrator, Ron Marcum of Vanderbilt University, discovered a PC on his network scanning hosts on other networks looking for ports 80, 8080, and 3128. The RingZero Trojan appeared to be the culprit. It looked for any hosts that were using open proxy servers found on ports 3128, 80, or 8080 and, at least for a while, collected ones it did find on an FTP site. There is value in knowing where an open proxy server is; it enables hackers to hide their true source IP identities. Open proxy servers enable you to tunnel through them and assume that IP number as the source IP. Some questions still remain about RingZero; it is not known how the Trojan infects a particular host, and it has not been determined what IPs the Trojan scans when downloaded.

Summary

The attacker community is investing an incredible amount of effort to scan the Internet. The single most important service for your site to block is ICMP echo requests. Reconnaissance probes should be taken seriously; if attackers can learn where your hosts are, they can make fairly short work of determining what services these hosts run. If they cannot determine which of the hosts in your network address space are active, they have a very sparse matrix with which to work. One great defense is to use RFC 1918 private address space instead of using public address space. If you have public address space and do not have split horizon DNS, attackers can just ask your DNS server where your hosts are with reverse lookups. Also, when possible, a NAT is a fantastic defense against probing. I recommend several layers of NATs. Finally, try to configure your perimeter not to allow ICMP unreachable error messages out of your network.

Also, with the new class of viruses and worms being released, infiltration of your well-guarded site might come from within. This is a natural evolution of information-gathering techniques because many sites have become more proficient at shunning reconnaissance from the outside.