RE: odd scans?

From: Smith, Donald (Donald.Smith@qwest.com)
Date: 05/26/02


From: "Smith, Donald " <Donald.Smith@qwest.com>
To: "'Bamm (Robert) Visscher'" <rvisscher@saball.com>, "Scott, Michael R." <MICHAEL.R.SCOTT@saic.com>
Date: Sun, 26 May 2002 09:23:51 -0600

Could this be a reflective DDOS?
http://www.icir.org/vern/papers/reflectors.CCR.01/index.html

Comments inline.
The main difference between that and traditional backscatter is
that would mean your being targeted. And the hosts
that sent you these packets are being used to hide the
real attacking hosts.

> -----Original Message-----
> From: Bamm (Robert) Visscher [mailto:rvisscher@saball.com]
> Sent: Friday, May 24, 2002 2:35 PM
> To: Scott, Michael R.
> Cc: 'intrusions@incidents.org'; 'incidents@securityfocus.com'
> Subject: Re: odd scans?
>
>
> Mike,
>
> Looks like you are just the innocent bystander. An unknown attacker is
> most likely "spoofing" your IP in an attempt to synflood the victims
> (who are sending the resets). Check out this excellent paper for more
> info: http://home.satx.rr.com/bejtlich/intv2-8.html
>
> Bammkkkk
>
> On Fri, 2002-05-24 at 12:16, Scott, Michael R. wrote:
> > Anyone recognize this or have a clue what they're looking
> for (covert
> > channel, root shell) or what tool is responsible? The
> source and dest ports
> > are almost as randomly distributed across the high range as
> the location of
> > the source IPs are across the globe, but notice that the
> same two ack
> > numbers repeat across all the source IPs.
> >
> > thanks
> > Mike
> >
Reset, Ack's -> a response from host with closed ports.
So I'd say that "attackers" in this case were sent a syn packet with the
port numbers reversed ie
213.114.155.74 was sent a syn on port 32320.
> > May 04 15:13:54.192847 213.114.155.74.10363 >
> A.B.24.105.32320: R 0:0(0) ack
> > 2093292673 win 0
Notice that acq is the same in many of these packets!
2093292673 occurs here from several DIFFERENT machines.
That implies that those hosts were all hit
with a syn packet with an seq number 2093292672, then
they all added 1 to that and said "I dont run that service" (ack/reset)
back to a.b.24.105.

> > May 10 10:32:02.907545 202.96.170.175.23132 >
> A.B.24.105.16147: R 0:0(0) ack
> > 2119353641 win 0 (DF)
> > May 10 10:33:02.244385 202.96.170.175.28393 >
> A.B.24.105.27350: R 0:0(0) ack
> > 2093292673 win 0 (DF)
> > May 11 17:41:25.668000 195.159.0.90.25787 >
> A.B.24.105.50026: R 0:0(0) ack
> > 2093292673 win 0 (DF)
> > May 12 20:57:40.114036 195.159.0.90.17655 >
> A.B.24.105.42560: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 13 02:43:49.277926 210.51.195.242.30405 >
> A.B.24.105.55321: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 02:47:42.141686 210.51.195.242.13712 >
> A.B.24.105.13470: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:08:44.392753 210.51.195.242.14624 >
> A.B.24.105.25786: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:09:02.581235 210.51.195.242.21772 >
> A.B.24.105.55043: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:14:07.108680 210.51.195.242.16260 >
> A.B.24.105.50721: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:23:01.695751 210.51.195.242.24690 >
> A.B.24.105.43529: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:30:40.841510 210.51.195.242.20326 >
> A.B.24.105.32961: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:53:25.418298 195.159.0.90.28711 >
> A.B.24.105.54951: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 13 19:23:30.740548 202.103.196.69.5890 >
> A.B.24.105.55141: R 0:0(0) ack
> > 2093292673 win 0
> > May 14 09:14:44.181069 202.108.58.52.18598 >
> A.B.24.105.19788: R 0:0(0) ack
> > 2119353641 win 0
> > May 14 16:53:22.218980 195.159.0.90.14934 >
> A.B.24.105.42941: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 14 17:00:47.116523 195.159.0.90.22228 >
> A.B.24.105.54487: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 18 08:51:27.644959 218.1.1.158.2471 > A.B.24.105.49396:
> R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:35:23.141419 202.103.196.69.32229 >
> A.B.24.105.27436: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:47:53.563776 202.103.196.61.8113 >
> A.B.24.105.32263: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:55:12.054609 202.103.196.61.14270 >
> A.B.24.105.32852: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 09:17:19.226250 218.1.1.158.26563 >
> A.B.24.105.35030: R 0:0(0) ack
> > 2093292673 win 0
> > May 20 20:54:03.565186 211.155.241.86.4949 >
> A.B.24.105.7930: R 0:0(0) ack
> > 2119353641 win 0
> > May 21 21:59:32.021667 61.139.77.80.28873 >
> A.B.24.105.36294: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:01:09.809743 61.139.77.80.16712 >
> A.B.24.105.55967: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:03:04.032252 61.139.77.80.20641 >
> A.B.24.105.24336: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:05:35.751460 61.139.77.80.23510 >
> A.B.24.105.47833: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:19:15.208975 61.139.77.80.27333 >
> A.B.24.105.33607: R 0:0(0) ack
> > 2119353641 win 0
> > May 21 22:30:17.176497 61.139.77.80.7683 >
> A.B.24.105.25473: R 0:0(0) ack
> > 2119353641 win 0
> > May 22 01:25:46.457981 61.139.77.80.21143 >
> A.B.24.105.34794: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 01:29:13.261296 61.139.77.80.17424 >
> A.B.24.105.46475: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 01:39:44.960026 61.139.77.80.24893 >
> A.B.24.105.12434: R 0:0(0) ack
> > 2119353641 win 0
> > May 22 06:54:09.159673 61.144.236.154.23977 >
> A.B.24.105.37501: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 22:04:59.837793 211.144.65.118.18268 >
> A.B.24.105.32230: R 0:0(0) ack
> > 2119353641 win 0
> > May 23 16:12:32.902699 32.97.166.142.23906 >
> A.B.24.105.40741: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x8]
> > May 24 07:27:13.613784 213.156.32.125.19650 >
> A.B.24.105.20404: R 0:0(0) ack
> > 1702151370 win 0
> >
> >
> --------------------------------------------------------------
> --------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> --
> Bamm (Robert) Visscher
> Senior Engineer, Managed Network Security Operations
> Ball Aerospace & Technologies Corp.
> http://www.ball.com/aerospace/index.html
> rvisscher@saball.com Desk: 210.734.5070 x107 Mobile: 210.240.5950
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Reset connections when connecting to some websites.
    ... When I have PC users on the LAN try to connnect to "*.myspace.com", ... ack 1 win 65535 ... I suspect that PMTU Discovery by most hosts behind the fw/router fails ... win 8190 <mss 1460> ...
    (comp.os.linux.networking)
  • SYN Flood
    ... 3842711808:3842711808ack 2054160385 win 16384 ... I'm watching this on the -current system's public interface and on the ... -current system's public/LAN facing interface this SYN packet that isn't ... The packets occur often and from different IP addresses. ...
    (freebsd-current)
  • Re: iptable in fc5
    ... I have a question about iptables in fc5. ... several other ports: 137, 139, etc. ... If I comment out the last line, then nfs works. ... 576512:576656ack 6721 win 32767 ...
    (Fedora)
  • Re: Structs in VHDL
    ... These are minimized by avoiding record type ports. ... Avoid record types for ports - since when? ... and Ack in the other. ...
    (comp.lang.vhdl)
  • Re: tarpiting connections using iptables
    ... > I have it set up on some ports to accept the SYN and ACK and block ... > all other packets. ... So an ACK goes out from my fake daemon but all ...
    (comp.os.linux.security)