This is likely an idle scan. The original write-up on this kind of attack
can be found here:

The source IP address that you see isn't really the attacker. The
information in your logs is virtually useless, unless you own the idle
system used in the scan.

Here are a few general, but imperfect guidelines about source and
destination IP address and port counts that might be of use to you. I use
them for preliminary automated analysis in my correlation system.

Src IPs Src Ports Dest IPs Dest Ports Type
1 Many Many 1 (e.g. pt 80) Scanning for
favorite (web) exploit.
Many Many Many 1 Same but
1 Many 1 Many Attack on
1 system (or your sys is infected)
Many 1 Many Many Idle Scan
Many 1 1 or Many Many DoS, smurf,

Of course, ICMP sweeps will be a little different (types & codes vs. ports).
Hope that is of some use.

Matt Wagner

firewall-wizards mailing list