Re: iptables INVALID

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 06/01/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Sat, 1 Jun 2002 18:47:40 +0000 (UTC)


[ Part 6 : Landscape of bird's eye view ]

< William Hunt

Common: (DROP INVALID) DST=(ME) LEN=56 TOS=0x00 PREC=0x00 ID=0
        PROTO=ICMP TYPE=3 CODE=1
        [SRC=(ME) LEN=48 TOS=0x00 PREC=0x00 PROTO=TCP URGP=0]

Date SRC DST ID F SPT DPT WINDOW RES FLG
Feb 28 10:42:59 1A [1B 57584 DF 1081 1120 28534 0x0c ECE URG RST SYN FIN]
Feb 28 12:49:30 1A [1B 61487 DF 1095 1210 28534 0x0c ECE URG RST SYN FIN]
Feb 28 14:41:21 1A [1B 4270 DF 1068 1094 0 0x00 ACK]
Feb 28 15:18:05 1A [1B 53420 DF 1275 1141 0 0x00 ACK]
Feb 28 18:27:19 1A [1B 24814 DF 1138 1058 28534 0x0c ECE URG RST SYN FIN]
May 6 13:24:42 1A [1C 28717 DF 1113 1257 12337 0x00 URG ACK PSH SYN]
Mar 15 20:07:17 2C [2F 8429 DF 1252 1116 0 0x00 ACK]
Mar 15 20:17:43 2C [2F 28717 DF 1279 1179 0 0x00 ACK]
Mar 15 21:17:32 2C [2F 57584 DF 1110 1050 0 0x00 ]
Mar 15 21:52:28 2C [2F 61487 DF 1064 1216 0 0x00 ACK]
Mar 15 22:23:19 2C [2F 4270 DF 1091 1084 0 0x00 ACK]
Mar 16 00:00:38 2C [2F 37040 DF 1089 1118 0 0x00 ACK]

Feb 24 19:52:30 2A [2D 61487 DF 1070 80 0 0x00 ACK]
Feb 24 20:31:54 2A [2D 49261 DF 1264 80 0 0x00 ACK]
Mar 17 03:48:12 2A [2G 49261 DF 1091 80 0 0x00 ACK]
Mar 17 05:10:20 2A [2G 12332 DF 1218 80 0 0x00 ACK]
Mar 17 07:40:19 2A [2G 12332 DF 1142 80 0 0x00 ACK]
Mar 17 02:36:02 2A [2H 12332 DF 1196 6667 0 0x00 ACK]
Mar 17 06:13:33 2A [2H 4270 DF 1243 6667 0 0x00 ACK]
Mar 17 08:59:38 2A [2H 28717 DF 1131 6667 1121 0x10 ECE URG ACK SYN]
Mar 17 10:03:01 2A [2H 111 DF 1136 6667 0 0x00 ACK]
Mar 17 11:05:57 2A [2H 53420 DF 1036 6667 0 0x00 ACK]

Mar 5 04:29:06 2B [2E 49261 -- 65382 80 0 0x00 ACK]
Mar 17 04:08:41 2B [2G 57584 DF 1122 1275 12337 0x00 URG ACK PSH SYN]
Mar 17 05:10:00 2B [2G 16496 DF 1168 1111 0 0x00 ACK]
Mar 17 10:04:53 2B [2G 8429 DF 1097 1047 12851 0x00 URG ACK FIN]

Only packet at Mar 5 04:29:06 was not set DF flag and SRC is high port
65382. Perhaps fragmented packet.

freq. IPID Hosts
3 61487 1B 2D 2F
3 57584 1B 2F 2G
3 49261 2D 2E 2G
3 4270 1B 2F 2H
3 28717 1C 2F 2H
3 12332 2G 2H
2 8429 2F 2G
2 53420 1B 2H
1 37040 2F
1 24814 1B
1 16496 2G
1 111 2H

Seems like originated same host. Maybe TTL was crafted.

freq. WINDOW
19 0
 3 28534
 2 12337
 1 12851
 1 1121

freq. FLG
18 ACK
 7 (URG+)
 4 (ECE+)
 1 ACK SYN
 1 ACK FIN
----------------- the following looks not legitimate (scan or attack).
 3 RST SYN FIN
 2 ACK PSH SYN
 1 NULL

freq. DPT
15 Random looks non privileged port
 6 http 80/tcp # World Wide Web HTTP
 5 irc 6667/tcp # Internet Relay Chat

freq. RES
22 0x00
 3 0x0c (ECE) 0000 1100
 1 0x10 (ECE) 0001 0000

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7