RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

From: Jim Butterworth (res0qh1m_at_verizon.net)
Date: 06/18/03

  • Next message: Chris Reining: "Re: SNMP search for printers?"
    To: "'Anders Reed Mohn'" <anders_rm@utepils.com>, <incidents@securityfocus.com>
    Date: Tue, 17 Jun 2003 20:06:07 -0700
    
    

    Has anyone previously posted a verbose packet capture that, in hex, that
    would allow for some analysis?
    r/Jim Butterworth
    SANS GCIA

    -----Original Message-----
    From: Anders Reed Mohn [mailto:anders_rm@utepils.com]
    Sent: Tuesday, June 17, 2003 3:29 AM
    To: incidents@securityfocus.com
    Subject: Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log
    file...)

    Forgive me if this just ends up in a stupid question, but
    having watched this thread for a while now, it strikes me
    as odd that noone has been able to trace the origin of any
    of these packets yet.
    These packets are now widely known (and have been
    discussed on other lists, in the news etc, as well), and there
    are quite a few network admins aware of this.

    Is it not possible for a few to get together and track down at
    least _one_ source computer?

    It seems to me that you are all putting a awful lot of effort in logging
    and tracking and making statistics.
    This is of course a good thing, but if we want to figure this thing out,
    there's more that need to be done.

    I know.. spoofed addresses.. but that
    does not mean we cannot trace packets to a certain extent.
    A shitty job, but unfortunately the only way of going about this, if
    we want to track it down for real.
    Also, it seems from some posters that not all sources are spoofed.

    Are you guys talking to your ISP's about this? I am sure the average
    ISP has at least one techhead that would be interested in digging a
    little
    in this, and I am guessing that several ISPs read this list as well.
    I'm not currently working as a network admin, so I'm not in a position
    to do much hunting in logs myself, unfortunately.
     
    So, what's happenin' dudes? Can we mount a common effort to track
    this down?
    Any ISP techs reading this, who sees these packets coming out from their
    networks? Do you contact the "offenders"?

    Cheers,
    Anders :)

    ------------------------------------------------------------------------

    ----
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
    the 
    world's premier technical IT security event! 10 tracks, 15 training
    sessions, 
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to 
    "underground" security specialists.  See for yourself what the buzz is
    about!  
    Early-bird registration ends July 3.  This event will sell out.
    www.blackhat.com
    ------------------------------------------------------------------------
    ----
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Chris Reining: "Re: SNMP search for printers?"

    Relevant Pages

    • Information Needed on Malicious Traffic dropped by firewalls/IPS
      ... >> packets and broken packets are essentially indistinguishable. ... > world's premier technical IT security event! ... > "underground" security specialists. ... See for yourself what the buzz is about! ...
      (Incidents)
    • RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)
      ... Tarpit in hopes of sticking one of these connections and have had no luck so ... all the focus is being set just on that window size. ... These packets are now widely known (and have been ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)
      ... These packets are now widely known (and have been ... are quite a few network admins aware of this. ... ISP has at least one techhead that would be interested in digging a little ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Strange DoS / new halflife server bug?
      ... Can you post the hex dump of a couple of these packets or post a link to a ... world's premier technical IT security event! ...
      (Incidents)
    • Re: BBC I Player, never works when you want it!
      ... It's also worth pointing out that the entire Internet is contended - no part of it can handle the theoretical volume of traffic that could be thrown at it by all the surrounding routers. ... Thus the ISP and comms providers have always been stuck with this difficult conundrum: there's a fundamental mismatch between the cost model and the revenue model. ... BT charges per phone call, but there are no per-phone-call costs to BT; the costs are pretty well all in the initial provision of the equipment. ... So it is true to say that it costs nothing to send a packet, or a million packets: the argument that the costs are "fixed" in that respect is true. ...
      (uk.tech.digital-tv)