ipv6 port scanning by CERNET
Matsuzaki Yoshinobu
maz at iij.ad.jp
Sun Oct 6 03:35:57 CEST 2013
Tassos Chatzithomaoglou <achatz at forthnetgroup.gr> wrote
> The last few days we're getting continuous port scannings from
> 2001:DA8:1:FFFE::108.
The same here. It seems the scan is based on hostnames as I am getting
the scannings only for my web server's IPv6 address. Probably this is
IPv6 only portscans as there is no similar activities on IPv4 address
of the server.
There are 3 IP header profiles:
- observed hoplimit: 241 - originally 255?
- observed hoplimit: 50 - originally 64?
- flowlabel 0x12345 with random hoplimit upto 45 (observed)
I got the portscans to almost entire tcp ports, but the following
ports got more scans from the host. For 80/tcp, I got GET scans for
cmd.exe and other well-known admin pages, and other methods - POST,
PROPFIND, PUT, Secure, TRACE and secure connections as well.
21/tcp
22/tcp
113/tcp
139/tcp
143/tcp
199/tcp
443/tcp
445/tcp
554/tcp
995/tcp
1812/tcp
3389/tcp
5060/tcp
5061/tcp
5900/tcp
8080/tcp
8888/tcp
On udp ports, I have observed scan packets on 520/udp (RIP request),
161/udp (snmp), 53/udp (dns) and 137/udp (smb).as well as the
following ports.
17/udp
19/udp
53/udp
111/udp
121/udp
123/udp
137/udp
161/udp
162/udp
177/udp
518/udp
520/udp
530/udp
593/udp
1434/udp
1604/udp
1971/udp
2638/udp
3478/udp
3784/udp
4569/udp
5060/udp
5061/udp
5070/udp
6502/udp
7001/udp
9101/udp
10080/udp
10081/udp
17185/udp
30718/udp
31845/udp
Regards,
-----
Matsuzaki Yoshinobu <maz at iij.ad.jp>
- IIJ/AS2497 INOC-DBA: 2497*629
More information about the ipv6-ops
mailing list