RE: Strange TCP headers

From: pbsarnac@ThoughtWorks.com
Date: 05/10/02


To: incidents@securityfocus.com
From: pbsarnac@ThoughtWorks.com
Date: Fri, 10 May 2002 11:38:14 -0500


I don't at this time. Since the firewall is stopping the packets, they're
not getting through to my IDS. I'm setting up a sniffer outside the
firewall to capture traffic so I can get full packet dumps.

My PIX is running the latest software in the 5.3 line. I suppose it's
possible that it's misreporting, but the odd thing is that I've been
reading the PIX logs for 5 months now, and I just started seeing large
numbers of these packets within the past two days. We've had gnutella users
for ages, but it's never caused issues like this before. The other really
odd thing is that all of these packets are different. It's not like there's
a standard signature... ACK FIN URG set or something. Some have two flags,
some have three, some have all six, some have none. It really seems like
someone is manipulating these packets.

I'll send some packet dumps along when I get them.

|---------+---------------------------->
| | Robert Buckley |
| | <rbuckley@synapse|
| | mail.com> |
| | |
| | 05/10/2002 11:00 |
| | AM |
| | |
|---------+---------------------------->
>--------------------------------------------------------------------------------------------------------------------|
  | |
  | To: "'pbsarnac@ThoughtWorks.com'" <pbsarnac@ThoughtWorks.com>, incidents@securityfocus.com |
  | cc: |
  | Subject: RE: Strange TCP headers |
>--------------------------------------------------------------------------------------------------------------------|

pb,
 That is strange. Do you have some raw data to back up what pix is
saying. If you have an old IOS running there, it could very well be pix is
not reporting correctly. We need to verify this by looking at the actual
raw
header, and see if it has options etc. I've caught a few people on my own
network using gnutella, which is prohibited by policy, but I've never seen
our pix's report bad header lengths on the traffic.

-----Original Message-----
From: pbsarnac@ThoughtWorks.com [mailto:pbsarnac@ThoughtWorks.com]
Sent: Friday, May 10, 2002 11:40 AM
To: incidents@securityfocus.com
Subject: Strange TCP headers

I just joined the list, and a quick search of the archives didn't turn this
up, but forgive me if this has already been discussed.

Starting on May 8 and continuing on through today, my firewall has been
picking up malformed TCP packets. The PIX complains about bad header
lengths, but the flag combinations that are showing up are extremely
strange. The source IP addresses are varied, and the destination IPs are
all NAT'd client workstations... not servers. The interesting thing is that
a majority of the scans are originating from port 6346, which snort.org
informs me is the gnutella server port. I've verified that at least two of
the clients that these packets were directed to were running various
file-sharing clients. Is this some sort of new scanning tool that runs over
the Gnutella network? Anyone have any thoughts?

(See attached file: 5-10-02-scans.txt)

Thanks!
Patrick Sarnacke

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • RE: Does the Cisco PIX have an equivalent of the IPFW "fwd" action?
    ... PIX is not IOS, and AFAIK it was not designed for complex network solutions. ... I'm setting up a FreeBSD transparent Web proxy for a client which has an old ... Cisco PIX firewall router. ... packets will not be that of the proxy machine itself) and do transparent caching. ...
    (freebsd-net)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
    (comp.security.firewalls)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)