ipv6 port scanning by CERNET

Matsuzaki Yoshinobu maz at iij.ad.jp
Sun Oct 6 03:35:57 CEST 2013


Tassos Chatzithomaoglou <achatz at forthnetgroup.gr> wrote
> The last few days we're getting continuous port scannings from
> 2001:DA8:1:FFFE::108.

The same here. It seems the scan is based on hostnames as I am getting
the scannings only for my web server's IPv6 address.  Probably this is
IPv6 only portscans as there is no similar activities on IPv4 address
of the server. 

There are 3 IP header profiles:
 - observed hoplimit: 241 - originally 255?
 - observed hoplimit: 50  - originally 64?
 - flowlabel 0x12345 with random hoplimit upto 45 (observed)

I got the portscans to almost entire tcp ports, but the following
ports got more scans from the host.  For 80/tcp, I got GET scans for
cmd.exe and other well-known admin pages, and other methods - POST,
PROPFIND, PUT, Secure, TRACE and secure connections as well.

    21/tcp
    22/tcp
    113/tcp
    139/tcp
    143/tcp
    199/tcp
    443/tcp
    445/tcp
    554/tcp
    995/tcp
    1812/tcp
    3389/tcp
    5060/tcp
    5061/tcp
    5900/tcp
    8080/tcp
    8888/tcp

On udp ports, I have observed scan packets on 520/udp (RIP request),
161/udp (snmp), 53/udp (dns) and 137/udp (smb).as well as the
following ports.

    17/udp
    19/udp
    53/udp
    111/udp
    121/udp
    123/udp
    137/udp
    161/udp
    162/udp
    177/udp
    518/udp
    520/udp
    530/udp
    593/udp
    1434/udp
    1604/udp
    1971/udp
    2638/udp
    3478/udp
    3784/udp
    4569/udp
    5060/udp
    5061/udp
    5070/udp
    6502/udp
    7001/udp
    9101/udp
    10080/udp
    10081/udp
    17185/udp
    30718/udp
    31845/udp

Regards,
-----
Matsuzaki Yoshinobu <maz at iij.ad.jp>
 - IIJ/AS2497  INOC-DBA: 2497*629



More information about the ipv6-ops mailing list