External port scans from MCV?

snovvman · March 3, 2013, 4:02pm

I have recently started to notice that there is a large number of [what appears to be] port scans coming from an IP address that belongs to MCV. I found only one post over two years ago (http://forum.micasaverde.com/index.php/topic,3688.msg18256.html#msg18256), but does not explain this:

Small sample of ports scanned:

39502, 17206, 17733, 35381, 17246, 41732, 24372, 25431, 21817, 56621, 19709, 62752, 55112, 62908, 56370, 64133, 13136, 51911, 16073, 50847, 31616, 20195, 24974, 22134, 16849, 14850, 6227, 50043, 62417, 62636, 26176, 54810, 63947, 52549, 6000, , 11278, 3839, 18570, 5165, 16137, 34756, 48653, 40184, 11678, 60744, , 33977, 62069, 33136, 41245, 64818, 60581, 61537, 21049, 27747, 42901, 49366, 51920, 50182, 62567, 52537, 30452, 64904, 15853, 31570, 58170

I copied these ports from consecutive reports, so some may be repeats. Again, this is a small sample of what my firewall actually saw. The source port is 443 (SSL).

I have data going back to 2/26/13 when I started to take notice. The scans from MCV occur every day and appearing systematic. (Interesting finding: The scan occurrences MAY coincide when my Vera has an activity. I don’t have enough data to confirm this yet.) Since my network is constantly scanned by China and other foreign countries, I don’t always follow up or research. I do remember having seeing this IP address prior to 2/26, but have deleted those logs.

The source IP is 173.254.216.50
Reverse WHOIS reports this:

[Querying whois.arin.net]
[Redirected to rwhois.oc3networks.com:4321]
[Querying rwhois.oc3networks.com]
[rwhois.oc3networks.com]
%rwhois V-1.0,V-1.5:00090h:00 manage.quadranet.com (Ubersmith RWhois Server V-2.3.0)
autharea=173.254.216.0/24
xautharea=173.254.216.0/24
network:Class-Name:network
network:Auth-Area:173.254.216.0/24
network:ID:NET-30524.173.254.216.32/27
network:Network-Name:Public Network IP Range
network:IP-Network:173.254.216.32/27
network:IP-Network-Block:173.254.216.32 - 173.254.216.63
network:Org-Name:Mi Casa Verde
network:Street-Address:530 West 6th St
network:City:Los Angeles
network:State:CA
network:Postal-Code:90014
network:Country-Code:US
network:Tech-Contact:MAINT-30524.173.254.216.32/27
network:Created:20110906220216000
network:Updated:20110906220216000
contact:POC-Email:admin@micasaverde.com

I expect to see these types of port scans from China and other foreign countries attempting industrial espionage, but not from MCV.

I’m also running Vera Alerts. I am wondering if that plays a role. I will see for a few days if the scans occur when Vera triggers an alert that gets sent through Vera Alerts.

I am not making an accusation, I am simply trying to understand what is happening. Can someone shed some light?

Thanks.

guessed · March 3, 2013, 4:15pm

What part of a TCP message does your tool consider to e a scan?

eg. SYN or late delivered FIN type stuff?

snovvman · March 3, 2013, 4:49pm

[quote=“guessed, post:2, topic:174500”]What part of a TCP message does your tool consider to e a scan?

eg. SYN or late delivered FIN type stuff?[/quote]

Good question. I will need to research and report back. At the same time, why so many ports? Thanks for your response.

guessed · March 3, 2013, 5:06pm

When you connect to web servers, they run a bunch of connections for secondary content (images, js, etc) and may also close and reopen the primary connection (depends upon timing, keep-alives etc)

During an interaction with their remoting site, you’ll see a lot of these connections. So depending upon what triggers the tool, it could be seeing an artifact of one of these (client initiated) connection teardowns… Some of which will be delayed from the counterpart open because of the normal TCP processing.