Service scanner attempting to connect to same port on multiple computers (UDP_Service_Sweep)

About this signature or vulnerability

Proventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:

This signature detects a high number of UDP packets being sent to the same port on different computers. This could indicate an attacker's attempt to determine which computers are running a particular service.


False negatives

Proventia Server IPS for Linux technology, RealSecure Desktop, RealSecure Desktop Protector 3.6, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, BlackICE Agent for Server, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware: This signature triggers off of UDP port probe events. As a result, a false negative scenario exists if all ports probed are open.

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Desktop Protector 3.6: baseline, Proventia Network IPS: 2.0, Proventia-G 1.1 and earlier: G Series, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 20.15, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, BlackICE PC Protection: 3.6cpa, BlackICE Server Protection: 3.6.cpa, BlackICE Agent for Server: 3.6eof, RealSecure Network: XPU 20.15, RealSecure Server Sensor: XPU 20.16, Virtual Server Protection for Vmware: 1.0

Systems affected

Various vendors Any application

Type

Pre-attack Probe

Vulnerability description

By attempting to connect to the same port on many different computers, an attacker can attempt to determine which computers are running a particular service within a network. This information could be useful to an attacker in performing an attack.

In performing such a scan, an attacker may attempt to avoid detection by using a slow connection rate.

How to remove this vulnerability

Investigate the source of this event for a possible intruder. Consider blocking all packets originating from the source network.

References

ISS X-Force
Service scanner attempting to connect to same port on multiple computers
http://www.iss.net/security_center/static/5253.php