Unknown attack, possible trojan?

From: Arjan Hulsebos (ahulsebos@wolfpack.nl)
Date: 03/11/03

  • Next message: Michael Scheidell: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"
    From: "Arjan Hulsebos" <ahulsebos@wolfpack.nl>
    To: <incidents@securityfocus.com>
    Date: Tue, 11 Mar 2003 10:33:00 +0100
    
    

    Hello list,

    We're operating a broadband cable internet network. We received a complaint
    from a subscriber concerning odd traffic he'd captured. As it turned out,
    he'd captured a DoS attack on another subscriber. Analysis of the dump
    showed the following:

    - Large amounts of packets were sent from a single ip address (not belonging
    to our AS) to the victim's ip address.
    - Multiple source ethernet MAC addresses were used (17 in the dump the
    subscriber sent us).
    - Multiple destination MAC addresses were used, but most (7 out of 9) were
    multicast ethernet addresses.
    - Source and destination ports remained the same, while the SYN and ACK bits
    were set.
    - Both sequence numbers were equal to one another, and remained the same
    throughout the dump.
    - The TTL varied between 32 and 59. This is odd, as it's all in a switched
    environment. The router's ethernet address was never seen as a source MAC
    address, hence the traffic never left the VLAN.
    - The identity field in the IP header was the same (10803) for all packets.

    As this spew of packets also hit the router (and died there in an ACL), I
    checked other routers in our network, and did see the same sort of packets
    hit the ACLs in various other locations. Comparing them, it turned out that
    port 80 was always involved, either as a destination port or as a source
    port. I've included some lines from the tcpdump.

    Does anyone recognize this? I couldn't find any clue in Google...

    Thanks,

    Arjan H

    Not even a clue-by-four would work with this clown.
    ________________________________
    dr. Arjan Hulsebos
    Security Engineer
    Essent Kabelcom West, a.k.a. @Home Benelux
    1042 AX Amsterdam
    Email: arjanh@corp.home.nl
    Tel: +31 20 88 55 407
    Mob: +31 6 21 548 777

    ==== < tcpdump > =====

    20:21:35.872464 0:50:fc:fe:74:a4 1:0:5e:33:e8:58 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 56,
    id 10803, len 44)
    20:21:35.872851 0:50:7f:4:15:70 0:6:52:50:94:8 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 55,
    id 10803, len 44)
    20:21:35.880167 0:10:a7:3:81:bd 1:0:5e:33:94:1 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 53,
    id 10803, len 44)
    20:21:35.880551 0:50:7f:4:15:70 0:6:52:50:94:8 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 52,
    id 10803, len 44)
    20:21:35.887731 0:10:a7:3:81:bd 1:0:5e:33:94:1 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 54,
    id 10803, len 44)
    20:21:35.888114 0:50:7f:4:15:70 0:6:52:50:94:8 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 53,
    id 10803, len 44)
    20:21:35.895208 0:4:61:43:fb:cf 1:0:5e:33:ea:1 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 55,
    id 10803, len 44)
    20:21:35.895598 0:50:7f:4:15:70 0:6:52:50:94:8 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 54,
    id 10803, len 44)
    20:21:35.902707 0:0:c5:5d:d:41 1:0:5e:33:e8:58 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 53,
    id 10803, len 44)
    20:21:35.903093 0:50:7f:4:15:70 0:6:52:50:94:8 0800 60: 209.11.84.ZZZ.80 >
    213.51.XXX.YYY.63089: S [tcp sum ok]
      1224440169:1224440169(0) ack 2340024064 win 6144 <mss 1460> (DF) (ttl 52,
    id 10803, len 44)

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>


  • Next message: Michael Scheidell: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"