Decoy Scans – The Reverse IP – The Squash

Comments Off on Decoy Scans – The Reverse IP – The Squash
Security Software

TLP: Public
Decoy Scans – The Reverse IP – The Squash

Everyone can agree that cyber-attacks have drastically increased since Covid-19 was released onto the world at the end of 2019.

A lot of American Corporation have written rules in their Firewalls to only allow traffic from the USA to have access to their websites, since it is easier to just block all then to spend the time and just block the attacking networks.

The Squash

Unfortunately, the bad guys have found ways around this. I call it the Reverse IP Squash scan. Squash all look different, they come in different colors and shapes, but they all have the same taste.

It is when the attacker IP address is reversed to make it appear to be a USA based IP address. Or any country that is blocking other countries to appear to be in your accepted country when it really is not.

I have only seen this decoy scan where the Source PORT is the same as the Destination PORT in an external communication which is NOT the same HOST. We all in the industry know these are attack based packets and are bad, so it is easy to identify them.

In this example my web server is serving web pages using HTTP and a well-known port is used, the destination port is 80. When a normal (Not Bad) computer wants to access the web server it will identify an unused port in the dynamic and private ports range (a port number between 49,152 and 65,535) and map that port to the web browser. A good packet will have the destination port 80 and the source port will be between 49,152 and 65,535.

Question: So how can the source port be the same as the destination port in the WAN, when it is NOT the same HOST?

Answer: Bad people messing with the packet headers because they are trying to hide their evil, unlawful, hacking business, they have no life, no value, so they steal, cheat, have very small reproductive organs, have a desire to be rich, hate hard work and love bitcoins.

Here is an example of a Decoy Scan with the Reverse IP, I call the Squash Scan:

X-X-X-X is the Internal IP Address of the Server, in this case a port 80 web server.

Firewall Log headers:
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

Scan Start:
2020-08-22 06:12:54 DROP TCP 98.5.61.95 X.X.X.X 80 80 44 S 1758545483
2020-08-22 06:12:54 DROP TCP 99.128.2.230 X.X.X.X 80 80 44 S 377490472
2020-08-22 06:12:54 DROP TCP 69.117.88.20 X.X.X.X 80 80 44 S 1368673432
2020-08-22 06:12:54 DROP TCP 24.185.167.214 X.X.X.X 80 80 44 S 1663265241
2020-08-22 06:12:54 DROP TCP 98.210.151.135 X.X.X.X 80 80 44 S 1807616317
2020-08-22 06:12:54 DROP TCP 24.159.42.47 X.X.X.X 80 80 44 S 802143924
2020-08-22 06:12:54 DROP TCP 69.123.0.130 X.X.X.X 80 80 44 S 1704426663
2020-08-22 06:12:54 DROP TCP 66.226.49.213 X.X.X.X 80 80 44 S 715150300
2020-08-22 06:12:54 DROP TCP 75.89.173.46 X.X.X.X 80 80 44 S 1240136066

2020-08-22 06:12:58 DROP TCP 98.5.61.95 X.X.X.X 80 80 44 S 2033939861
2020-08-22 06:12:58 DROP TCP 98.210.151.135 X.X.X.X 80 80 44 S 1278171238
2020-08-22 06:12:58 DROP TCP 66.226.49.213 X.X.X.X 80 80 44 S 2058104692
2020-08-22 06:12:58 DROP TCP 99.128.2.230 X.X.X.X 80 80 44 S 680291223
2020-08-22 06:12:58 DROP TCP 24.159.42.47 X.X.X.X 80 80 44 S 359278842
2020-08-22 06:12:58 DROP TCP 75.89.173.46 X.X.X.X 80 80 44 S 1342225345
2020-08-22 06:12:58 DROP TCP 69.117.88.20 X.X.X.X 80 80 44 S 1997964862
2020-08-22 06:12:58 DROP TCP 69.123.0.130 X.X.X.X 80 80 44 S 791649766
2020-08-22 06:12:58 DROP TCP 24.185.167.214 X.X.X.X 80 80 44 S 1583286757

2020-08-22 06:17:40 DROP TCP 99.128.2.230 X.X.X.X 80 80 44 S 64573920
2020-08-22 06:17:40 DROP TCP 24.159.42.47 X.X.X.X 80 80 44 S 1706074651
2020-08-22 06:17:40 DROP TCP 24.185.167.214 X.X.X.X 80 80 44 S 1116788005
2020-08-22 06:17:40 DROP TCP 69.117.88.20 X.X.X.X 80 80 44 S 569331801
2020-08-22 06:17:40 DROP TCP 75.89.173.46 X.X.X.X 80 80 44 S 440413338
2020-08-22 06:17:40 DROP TCP 98.5.61.95 X.X.X.X 80 80 44 S 869836431
2020-08-22 06:17:40 DROP TCP 69.123.0.130 X.X.X.X 80 80 44 S 200240775
2020-08-22 06:17:40 DROP TCP 98.210.151.135 X.X.X.X 80 80 44 S 4157844
2020-08-22 06:17:40 DROP TCP 66.226.49.213 X.X.X.X 80 80 44 S 2018376608

2020-08-22 06:19:50 DROP TCP 69.117.88.20 X.X.X.X 80 80 44 S 1187077375
2020-08-22 06:19:50 DROP TCP 75.89.173.46 X.X.X.X 80 80 44 S 1843471496
2020-08-22 06:19:50 DROP TCP 24.159.42.47 X.X.X.X 80 80 44 S 641870801
2020-08-22 06:19:50 DROP TCP 98.210.151.135 X.X.X.X 80 80 44 S 1273855967
2020-08-22 06:19:50 DROP TCP 69.123.0.130 X.X.X.X 80 80 44 S 1183912985
2020-08-22 06:19:50 DROP TCP 99.128.2.230 X.X.X.X 80 80 44 S 415714080
2020-08-22 06:19:50 DROP TCP 66.226.49.213 X.X.X.X 80 80 44 S 86748293
2020-08-22 06:19:50 DROP TCP 98.5.61.95 X.X.X.X 80 80 44 S 1112180597
2020-08-22 06:19:50 DROP TCP 24.185.167.214 X.X.X.X 80 80 44 S 724182152
Scan end

I then scan the external IP addresses to see who they are:

98.5.61.95 = Buffalo, New York – spectrum.com – Charter Communications Inc – USA
99.128.2.230 = Boca Raton, Florida – att.com – AT&T Corp. – USA
69.117.88.20 = Brooklyn, New York – optimum.net – Optimum Online – USA
24.185.167.214 = Brooklyn, New York – optimum.net – Optimum Online – USA
98.210.151.135 = Walnut Creek, California – comcast.net – Comcast LLC – USA
24.159.42.47 = Manchester, Tennessee – spectrum.com – Charter Communications Inc – USA
69.123.0.130 = Newark, New Jersey – optimum.net – Optimum Online – USA
66.226.49.213 = Salisbury, North Carolina – yadtel.com – Yadkin Valley Telephone – USA
75.89.173.46 = Lexington, Kentucky – windstream.com – Windstream Comm LLC – USA

I then take the external IP addresses and I Nmap scan each one:

98.5.61.95 = UP – 0 ports open
99.128.2.230 = DOWN
69.117.88.20 = DOWN
24.185.167.214 = DOWN
98.210.151.135 = UP – 0 ports open
24.159.42.47 = UP – 0 ports open
69.123.0.130 = DOWN
66.226.49.213 = UP – open ports 19. 53, 135, 139, 445, 646.
75.89.173.46 = UP – – 0 ports open ALERT: Backward IP address alert!

I then reverse the IP and I get the Real IP address = 46.173.89.75

See who this IP is:
46.173.89.75 = Simferopol, Avtonomna Respublika Krym – kct.net.ua – AXI-LAN Ltd. – Ukraine
Nmap the IP
NMap for 46.173.89.75 = All Ports Open

Then I do other things to this IP address and the whole Network Range that I will not go into here.

The result is I caught a Ukrainian IP that is pretending to be a USA IP that is up to no good, decoying with the other USA IP addresses that really didn’t exist, and were not trying to scan the web server, these scans all came from 1 IP address and that is 46.173.89.75.

I see this with Chinese, and Russians too.

Keep an eye on your Firewall logs and just because it appears to be an accepted IP address does not mean it really is.

If these bad people would focus all these resources into doing something good for mankind imagine the possibilities, but no that requires real work.

Be safe and I hope this helps people that are trying to protect their systems from these losers. Decoy Scans – The Reverse IP – The Squash is just one of many bad scanning and attack systems running amok on the internet of things.

Adept Technologies’ team of dedicated North American experts are solely focused on refining and improving the Adept Enterprise products and the MyAdept software as services (SaaS) for the benefit of mankind.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

Adept Media

Adept Technologies Inc.

Related Articles

Lake Inspections
Adept Land and Shoreline Permit Management Software
The Adept Enterprise Land and Shoreline Permit Management software system is a feature-rich solution designed…
Read More
Washinton Modernize
Modernize and Streamline Washington State Housing with SB 5290
Modernize and Streamline Washington State Housing with SB 5290 In a landmark decision for housing…
Read More
Adept Enterprise
Adept Enterprise® 20XX
Adept Enterprise® 20XX is the enterprise edge of the cloud, and/or cloud software platform that…
Read More