Security Incidents mailing list archives
Re: more weird traceroutes
From: chadth () OBFUSTECH COM (Chad Thunberg)
Date: Tue, 2 May 2000 15:09:17 -0700
these aren't traceroutes, they are scans for proxies. -Chad -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Donald McLachlan Sent: Tuesday, May 02, 2000 6:51 AM To: INCIDENTS () SECURITYFOCUS COM Subject: more weird traceroutes How about this. A traceroute (sort of) masquarading as RingZero! It started with this: 00:50:49.091588 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 18, id 16384) 00:50:49.091774 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 17, id 16384) ... 00:50:49.093137 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) [ttl 1] (id 16384) The above pattern was repeated a total of 4 times with only the ip id changing. This was followed this (also repeated 4 times): 00:51:36.515153 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 18, id 9986) 00:51:36.515310 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 17, id 9986) ... 00:51:36.521579 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) [ttl 1] (id 9986) and this (repeated 4 times): 00:52:24.638450 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 18, id 14851) 00:52:24.638597 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 17, id 14851) ... 00:52:24.640191 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) [ttl 1] (id 14851) Also, TTL analysis shows either the source address is spoofed, or at least that there is initial TTL trickery going on. Don
Current thread:
- Large DNS scans from 211.53.208.178 alann lopes (Apr 28)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)
- Re: Large DNS scans from 211.53.208.178 Richard Stevenson (May 02)
- Re: Large DNS scans from 211.53.208.178 Bryan Seitz (Apr 30)
- Strange 33434/UDP traffic from MS W2k with Active Directory Eugene Taylashev (May 01)
- more weird traceroutes Donald McLachlan (May 02)
- Re: more weird traceroutes Chad Thunberg (May 02)
- <Possible follow-ups>
- Re: Large DNS scans from 211.53.208.178 Fernando Cardoso (May 02)
- Re: Large DNS scans from 211.53.208.178 Russell Fulton (May 02)
- Re: Large DNS scans from 211.53.208.178 Ed Padin (May 02)
- Re: Large DNS scans from 211.53.208.178 Keith McCammon (May 03)
- Re: Large DNS scans from 211.53.208.178 David B. Bukowski (May 03)
- Re: Large DNS scans from 211.53.208.178 sigipp () WELLA COM BR (May 03)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Greg A. Woods (May 08)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (May 03)
- Re: Large DNS scans from 211.53.208.178 Chen, Dave (May 03)
- Re: Large DNS scans from 211.53.208.178 Igor Gashinsky (May 03)
(Thread continues...)
- Re: Large DNS scans from 211.53.208.178 Seth Georgion (Apr 30)