Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Munging or ICMP Crossdressing

From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 24 Feb 2000 11:39:24 -0600

This could be the result of someone using hping2 with the "read data
from file option" to do some kind of firewall ruleset testing...  That
is the only widely known tool I know of which could easily create this
sugnature.

-HD

"Stephen P. Berry" wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

About twenty-four hours ago I started seeing some anomalous traffic which
doesn't match any signature with which I am currently familiar.

Looking at a representative packet in hex (a la tcpdump(8) with the -x
flag given):

        4500 .... .... 4000 ..06 .... xxxx xxxx
        yyyy yyyy 7803 8018 7803 8018 7803 8018
        7803 8018 7803 8018 7803 8018 7803 8018
        7803 8018 7803

Where xxxx xxxx and yyyy yyyy are the appropriate hex values for the
source and destination IP addresses, respectively, and the `.'s are
the length, ID, TTL and checksum which vary from incident to incident
but which are all appropriate values.

The repeated pattern which starts immediately after the end of the IP
header varies from incident to incident, as well as from packet to
packet in a single incident[0].  The pattern has always been four bytes
long, but the overall packet length varies.

I've observed this traffic on multiple sensors on different segments.
All of them do, however, share a common upstream provider---so it
is possible that the cause is a smafco'd router or some such rather
than nastiness on the apparent source host.  So far, all of this
odd traffic has occured in relative proximity (within a couple seconds
or so) of otherwise uninteresting traffic (mostly innocuous-looking
inbound web traffic).

When I first saw this, I thought I was looking at the result of someone
using a BSDlike ping(8) with a four byte -p pattern.  But of course
the IP header identifies the packets as being TCP, and there is no
(proper) layer four header at all.

Does this look familiar to anyone?  And no, none of the traffic came
from demon.co.uk, gb.net, or any of the related fountains of munged
traffic[1].

- -Steve
Previous By Date Next
Previous By Thread Next

Current thread: