RE: odd scans?
From: Smith, Donald (Donald.Smith@qwest.com)Date: 05/26/02
 Previous message: Joe Blatz: "GET /proxytest.php"
 Maybe in reply to: Scott, Michael R.: "odd scans?"
 Next in thread: Bamm (Robert) Visscher: "RE: odd scans?"
 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Smith, Donald " <Donald.Smith@qwest.com> To: "'Bamm (Robert) Visscher'" <rvisscher@saball.com>, "Scott, Michael R." <MICHAEL.R.SCOTT@saic.com> Date: Sun, 26 May 2002 09:23:51 0600
Could this be a reflective DDOS?
http://www.icir.org/vern/papers/reflectors.CCR.01/index.html
Comments inline.
The main difference between that and traditional backscatter is
that would mean your being targeted. And the hosts
that sent you these packets are being used to hide the
real attacking hosts.
> Original Message
> From: Bamm (Robert) Visscher [mailto:rvisscher@saball.com]
> Sent: Friday, May 24, 2002 2:35 PM
> To: Scott, Michael R.
> Cc: 'intrusions@incidents.org'; 'incidents@securityfocus.com'
> Subject: Re: odd scans?
>
>
> Mike,
>
> Looks like you are just the innocent bystander. An unknown attacker is
> most likely "spoofing" your IP in an attempt to synflood the victims
> (who are sending the resets). Check out this excellent paper for more
> info: http://home.satx.rr.com/bejtlich/intv28.html
>
> Bammkkkk
>
> On Fri, 20020524 at 12:16, Scott, Michael R. wrote:
> > Anyone recognize this or have a clue what they're looking
> for (covert
> > channel, root shell) or what tool is responsible? The
> source and dest ports
> > are almost as randomly distributed across the high range as
> the location of
> > the source IPs are across the globe, but notice that the
> same two ack
> > numbers repeat across all the source IPs.
> >
> > thanks
> > Mike
> >
Reset, Ack's > a response from host with closed ports.
So I'd say that "attackers" in this case were sent a syn packet with the
port numbers reversed ie
213.114.155.74 was sent a syn on port 32320.
> > May 04 15:13:54.192847 213.114.155.74.10363 >
> A.B.24.105.32320: R 0:0(0) ack
> > 2093292673 win 0
Notice that acq is the same in many of these packets!
2093292673 occurs here from several DIFFERENT machines.
That implies that those hosts were all hit
with a syn packet with an seq number 2093292672, then
they all added 1 to that and said "I dont run that service" (ack/reset)
back to a.b.24.105.
> > May 10 10:32:02.907545 202.96.170.175.23132 >
> A.B.24.105.16147: R 0:0(0) ack
> > 2119353641 win 0 (DF)
> > May 10 10:33:02.244385 202.96.170.175.28393 >
> A.B.24.105.27350: R 0:0(0) ack
> > 2093292673 win 0 (DF)
> > May 11 17:41:25.668000 195.159.0.90.25787 >
> A.B.24.105.50026: R 0:0(0) ack
> > 2093292673 win 0 (DF)
> > May 12 20:57:40.114036 195.159.0.90.17655 >
> A.B.24.105.42560: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 13 02:43:49.277926 210.51.195.242.30405 >
> A.B.24.105.55321: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 02:47:42.141686 210.51.195.242.13712 >
> A.B.24.105.13470: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:08:44.392753 210.51.195.242.14624 >
> A.B.24.105.25786: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:09:02.581235 210.51.195.242.21772 >
> A.B.24.105.55043: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:14:07.108680 210.51.195.242.16260 >
> A.B.24.105.50721: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:23:01.695751 210.51.195.242.24690 >
> A.B.24.105.43529: R 0:0(0) ack
> > 2093292673 win 0
> > May 13 03:30:40.841510 210.51.195.242.20326 >
> A.B.24.105.32961: R 0:0(0) ack
> > 2119353641 win 0
> > May 13 03:53:25.418298 195.159.0.90.28711 >
> A.B.24.105.54951: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 13 19:23:30.740548 202.103.196.69.5890 >
> A.B.24.105.55141: R 0:0(0) ack
> > 2093292673 win 0
> > May 14 09:14:44.181069 202.108.58.52.18598 >
> A.B.24.105.19788: R 0:0(0) ack
> > 2119353641 win 0
> > May 14 16:53:22.218980 195.159.0.90.14934 >
> A.B.24.105.42941: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 14 17:00:47.116523 195.159.0.90.22228 >
> A.B.24.105.54487: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x60]
> > May 18 08:51:27.644959 218.1.1.158.2471 > A.B.24.105.49396:
> R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:35:23.141419 202.103.196.69.32229 >
> A.B.24.105.27436: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:47:53.563776 202.103.196.61.8113 >
> A.B.24.105.32263: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 02:55:12.054609 202.103.196.61.14270 >
> A.B.24.105.32852: R 0:0(0) ack
> > 2093292673 win 0
> > May 19 09:17:19.226250 218.1.1.158.26563 >
> A.B.24.105.35030: R 0:0(0) ack
> > 2093292673 win 0
> > May 20 20:54:03.565186 211.155.241.86.4949 >
> A.B.24.105.7930: R 0:0(0) ack
> > 2119353641 win 0
> > May 21 21:59:32.021667 61.139.77.80.28873 >
> A.B.24.105.36294: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:01:09.809743 61.139.77.80.16712 >
> A.B.24.105.55967: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:03:04.032252 61.139.77.80.20641 >
> A.B.24.105.24336: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:05:35.751460 61.139.77.80.23510 >
> A.B.24.105.47833: R 0:0(0) ack
> > 2093292673 win 0
> > May 21 22:19:15.208975 61.139.77.80.27333 >
> A.B.24.105.33607: R 0:0(0) ack
> > 2119353641 win 0
> > May 21 22:30:17.176497 61.139.77.80.7683 >
> A.B.24.105.25473: R 0:0(0) ack
> > 2119353641 win 0
> > May 22 01:25:46.457981 61.139.77.80.21143 >
> A.B.24.105.34794: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 01:29:13.261296 61.139.77.80.17424 >
> A.B.24.105.46475: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 01:39:44.960026 61.139.77.80.24893 >
> A.B.24.105.12434: R 0:0(0) ack
> > 2119353641 win 0
> > May 22 06:54:09.159673 61.144.236.154.23977 >
> A.B.24.105.37501: R 0:0(0) ack
> > 2093292673 win 0
> > May 22 22:04:59.837793 211.144.65.118.18268 >
> A.B.24.105.32230: R 0:0(0) ack
> > 2119353641 win 0
> > May 23 16:12:32.902699 32.97.166.142.23906 >
> A.B.24.105.40741: R 0:0(0) ack
> > 2093292673 win 0 (DF) [tos 0x8]
> > May 24 07:27:13.613784 213.156.32.125.19650 >
> A.B.24.105.20404: R 0:0(0) ack
> > 1702151370 win 0
> >
> >
> 
> 
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> 
> Bamm (Robert) Visscher
> Senior Engineer, Managed Network Security Operations
> Ball Aerospace & Technologies Corp.
> http://www.ball.com/aerospace/index.html
> rvisscher@saball.com Desk: 210.734.5070 x107 Mobile: 210.240.5950
>

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 Previous message: Joe Blatz: "GET /proxytest.php"
 Maybe in reply to: Scott, Michael R.: "odd scans?"
 Next in thread: Bamm (Robert) Visscher: "RE: odd scans?"
 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
