Security Incidents mailing list archives
TCP Munging or ICMP Crossdressing
From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Tue, 22 Feb 2000 23:28:23 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 About twenty-four hours ago I started seeing some anomalous traffic which doesn't match any signature with which I am currently familiar. Looking at a representative packet in hex (a la tcpdump(8) with the -x flag given): 4500 .... .... 4000 ..06 .... xxxx xxxx yyyy yyyy 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 Where xxxx xxxx and yyyy yyyy are the appropriate hex values for the source and destination IP addresses, respectively, and the `.'s are the length, ID, TTL and checksum which vary from incident to incident but which are all appropriate values. The repeated pattern which starts immediately after the end of the IP header varies from incident to incident, as well as from packet to packet in a single incident[0]. The pattern has always been four bytes long, but the overall packet length varies. I've observed this traffic on multiple sensors on different segments. All of them do, however, share a common upstream provider---so it is possible that the cause is a smafco'd router or some such rather than nastiness on the apparent source host. So far, all of this odd traffic has occured in relative proximity (within a couple seconds or so) of otherwise uninteresting traffic (mostly innocuous-looking inbound web traffic). When I first saw this, I thought I was looking at the result of someone using a BSDlike ping(8) with a four byte -p pattern. But of course the IP header identifies the packets as being TCP, and there is no (proper) layer four header at all. Does this look familiar to anyone? And no, none of the traffic came from demon.co.uk, gb.net, or any of the related fountains of munged traffic[1]. - -Steve - ----- 0 Here I'm defining `incident' as being a single stream of traffic between a single source/destination host pair with no appreciable pauses between packets. Each `incident' lasts a couple minutes, and there are no pauses between packets as long as a full second. 1 If you've ever seen this, you know what I mean. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4s4wEG3kIaxeRZl8RArmiAJ4/LHJIFGNzyILdHaKu4gKzAjLTXwCdFMeI 499EouD5pJqGFOz/kEeVEd4= =bCVw -----END PGP SIGNATURE-----
Current thread:
- TCP Munging or ICMP Crossdressing Stephen P. Berry (Feb 22)
- Re: TCP Munging or ICMP Crossdressing H D Moore (Feb 24)