Why is the DoD Portscanning me?



  • THis is still going on... up to port 2800 now...

    I had the office of the president of University of california on my stuff for a while...

    all i could find on the former was:

    http://forums.phoenixlabs.org/showthread.php?t=1227&page=1

    Wow.... I feel special, being portscanned by the US government!



  • It's up to 8 ports per second now from the DoD... i think i am just going to block them at the router and make a phone call



  • I hereby officially claim no knowledge of any actions you have taken to cause the US Guvment to be Port scanning you.

    And when the black helicopters show up to take you away I will also deny any knowledge of that.



  • Um, if THEY are scanning YOU, then why is the source a private 192.168, and the destination a public address?  Looks to me like you are scanning them.



  • The port numbers shown seem to indicate that it is indeed the 6.18.0.176 IP that's doing the scan (those are all TCP port 411 - which is a privliedged port!!). Perhaps this is just showing the replies from 192.168.136.200? Either that, or you are trying some kind of source port scan of their TCP port 441... seeing if the result of the connection depends on the source port, although that would be rather obscure.

     

    wonders wether he should nmap that IP

     

    HTTP isn't responding, though. 

     



  • I disagree.  I think his machine is repeatedly opening connections from sequential high numbered ports to 6.18.0.176 port 411 which is 'normal' behavior.  Normal in that the ports are consistent with an outbound connection.

    The 2nd case is a bit stranger, since the source connections are all from a single port to what seem to be random high numbered ports. Since they are UDP packets, there's no reply involved.

     I'd strongly suggest that genewitch take a closer look at his own system.  And use some better tools, like Wireshark to see what's really going on.  And if you think people are really trying to get to your port 20742, open a dos prompt and enter 'netstat -a' to see all the current connections and listening ports on your machine.
     



  • [quote user="wk633"]Um, if THEY are scanning YOU, then why is the source a private 192.168, and the destination a public address?  Looks to me like you are scanning them.
    [/quote]

    Yah, except the problem is it was happening to several people at the same time.

    Anyhow, 800-357-4231 option 1 is the phone number given for the JTFGNO - the DoD IT department.

    He starts to give me the email, saying "India Hotel At... oh, you're a civilian... IH@" haha.

    but anyhow, for those interested, averaging 4 ports per second:

    first attack:
    2007-01-04 05:55:30;DoD Network Information Center;192.168.136.200:3015;29.0.0.205:411;TCP;Blocked
    That ended at:
    2007-01-04 06:20:55;DoD Network Information Center;192.168.136.200:1908;29.0.0.205:411;TCP;Blocked
    Next attack:
    2007-01-04 11:00:40;DoD Network Information Center;192.168.136.200:1482;6.18.0.176:411;TCP;Blocked
    ended at:
    2007-01-04 12:23:44;DoD Network Information Center;192.168.136.200:4475;6.18.0.176:411;TCP;Blocked
    ARIN reports the second one was from Yuma, maybe someone got a trojan?



  • You're not being portscanned. Someone probably posted your IP as a server or something.

    Either that or the DoD thinks you're a file sharer.



  • The application displayed is PeerGuardian. This program checks both incoming and outgoing packets against a list of "evil" networks who may be against file sharing, and it is mostly used by P2P file sharers. It detected lots of outgoing connects to a DOD server on port 411. Port 411 is the usual port of Direct Connect hubs, and Direct Connect is - a file sharing application.

    So what's really happening is that the OP's Direct Connect client tries to connect to DoDServer:411 and gets refused all the time by PeerGuardian. This could now either be a false alarm (that IP runs a "legitimate" DC hub) or that someone at the DOD provides a special DC hub as a trap, and anyone who connects to it and who shares copyrighted files may get sued; and to make people connect to such a server, they would post it on some public server list (so no directed attack is being done). The latter is actually what PeerGuardian is meant to protect against - its purpose is to protect file sharers against law enforcement.

    With this, I don't dare to claim that the OP is violating copyright law - even if he just shares his own works or some Linux distribution packages, he still deserves privacy - this is just not their business. It seems to be no coincidence that the words privacy and piracy look similar, it's a fact that fighting piracy also destroys privacy and vice versa.

    Therefore, what is shown on the screenshot is no act of port scanning. PeerGuardian blocks the P2P application from accessing that server, be it for a good reason or not. So: the Real WTF[tm] is that GeneWitch is using a "security tool" which he doesn't understand. However, such tools are rather useless if one does not understand them...



  • Or someone has listed the DoD as a file sharer, and more than one person is running the same software that is updating the same list of servers, and going out to the DoD to get files.

     As I said, the 2nd case is a bit stranger in that it's a single connection that is spewing UDP packets out to a bunch of random ports and various Universities.  or PG2 has the source/dest mixed up, and someone has listed GeneWitch's IP and port 20742 as a file server, and a bunch of students are all trying to connect.

     It would take one heck of a conspiracy for a bunch of universities to coordinate an 'attack' like that.

     



  • Well, at least in theory he could unwillingly have been part of a DRDoS attack targeted at the DoD and/or those universities.



  • [quote user="wk633"]

    Or someone has listed the DoD as a file sharer, and more than one person is running the same software that is updating the same list of servers, and going out to the DoD to get files.

     As I said, the 2nd case is a bit stranger in that it's a single connection that is spewing UDP packets out to a bunch of random ports and various Universities.  or PG2 has the source/dest mixed up, and someone has listed GeneWitch's IP and port 20742 as a file server, and a bunch of students are all trying to connect.

     It would take one heck of a conspiracy for a bunch of universities to coordinate an 'attack' like that.

     

    [/quote]

    Numerous file-sharing systems let you open a whole range of ports. Bittorrent, for example - the crappy old clients think they need one port per torrent - and most likely in this case, DC. If a port doesn't work, it'll attempt another one in the given range, until it finally finds one or gives up.

    See if these so-called "port scans" suddenly stop as soon as you close DC and start as soon as you open it again. :rolleyes: 



  • [quote user="foxyshadis"]

    Numerous file-sharing systems let you open a whole range of ports. Bittorrent, for example - the crappy old clients think they need one port per torrent - and most likely in this case, DC. If a port doesn't work, it'll attempt another one in the given range, until it finally finds one or gives up.

    See if these so-called "port scans" suddenly stop as soon as you close DC and start as soon as you open it again. :rolleyes: 

    [/quote]

    A), i wasn't in the process of connecting to any "DC" hubs - regardless of what the port implies.

    B)there wasn't a single download running; also, regardless of what i share, this is the first time that PG2 has scrolled this fast, and I have been using PG2 and DC, torrents, etc. together for a while.

    C) I was asleep for the first 30 minute fiasco... And I was not even connected to any "DC" networks.

    D) The second event stopped when a certain user was kicked from a certain service (by another person that was getting 4 attempts per second). Guys, i don't care if you think this is 'valid' traffic... 2-9 requests per second for 30 minutes is not standard behaviour for any network application i've ever seen... except portscanning. And i know how to use PeerGuardian. I'm just pissed that i have 2.9 megs of  "DOD" rejected. And i got an email back from them, so... we'll see what happens.

     



  • Reply from JTFGNO (dod IT network)

     I checked your logs and pulled our .mil traffic against your IP. I will request a reason why they tried to connect but I don't see anything malicious from the Department of Defense. I can say with confidence that the IP was spoofed (As with 99% of civilian complaints with us.). We recommend you block 29.0.0.0/8 at your firewall. Thanks for your concern. Please feel free to report more suspicious activity coming from us if it is affecting you.

    sIP|dIP|sPort|dPort|protocol<WBR>|packets|bytes|flags|sTime|dur<WBR>|eTime

    |x.x.x.x|69.234.40.251|1877<WBR>|3724|6|3|144| S      |01/01/2007 16:05:15|8|01/01/2007 16:05:24|

    Very Respectfully,

    nameObscured
    JTF-GNO Net Defense, J342
    Arlington, VA
    (703) xxx-xxxx

    xxx-xxxx (DSN)



  • Port 20742 is also used by some Bagle trojans



  • Looking at the data, it appears that a couple of the other posters were indeed correct. You're not being port scanned by the DoD. You're trying to DoS them!

    In the DoD screen shot, you can see a couple of entries there that mention Palacky University. In these, you can see that the Source address is from somewhere on the internet, and the Destination is your PC. This shows that someone at that university is trying to connect to you.

    With the other entries, it looks like your computer is trying to create TCP connections to the DoD. When you create a new TCP connection, your computer creates a new port. Often, the port numbers used are sequential, although after a while lower port numbers will be re-used.

    As far as I can tell, you've either got a trojan infection, or your file sharing client believes that the DoD is a legitimate file source.

    The best way to tell is to use a utility such as TCPView (http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx), which will tell you which process created those ports. Let's just hope your computer's not pwned!



  • @eimaj2nz said:

    Looking at the data, it appears that a couple of the other posters were indeed correct. You're not being port scanned by the DoD. You're trying to DoS them!

    In the DoD screen shot, you can see a couple of entries there that mention Palacky University. In these, you can see that the Source address is from somewhere on the internet, and the Destination is your PC. This shows that someone at that university is trying to connect to you.

    With the other entries, it looks like your computer is trying to create TCP connections to the DoD. When you create a new TCP connection, your computer creates a new port. Often, the port numbers used are sequential, although after a while lower port numbers will be re-used.

    As far as I can tell, you've either got a trojan infection, or your file sharing client believes that the DoD is a legitimate file source.

    The best way to tell is to use a utility such as TCPView (http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx), which will tell you which process created those ports. Let's just hope your computer's not pwned!

    Yah, re: the email i locked the subnets on my router out, and now everything is all quiet on the western front. I realize it looks like i was infected, or that i was DoSing them, but there were at least 2 other people that were getting the same output from PG2 at the same time as me. The IP was spoofed, and i wasn't really trying to say anything by posting here, really, other than "WTF DOD OMG". i understand that, by nature, forums have flamers. :-) I still like this community a lot!

    Also i use Knoppix:STD sometimes, and had i remembered where i put the disc i would have used ethercap or something similar to analyze it in real-time; however the attacks were long - but not long enough to dig out a disc and boot my laptop and get to work on packet sniffing. I was mostly posting it here as an aside; now i know that i shouldn't. Haha.

     -the Gene Witch


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.