Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: more weird traceroutes

From: chadth () OBFUSTECH COM (Chad Thunberg)
Date: Tue, 2 May 2000 15:09:17 -0700

these aren't traceroutes, they are scans for proxies.

-Chad

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Donald McLachlan
Sent: Tuesday, May 02, 2000 6:51 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: more weird traceroutes

How about this.  A traceroute (sort of) masquarading as RingZero!
It started with this:

00:50:49.091588 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
8192 <mss 1460> (DF) (ttl 18, id 16384)
00:50:49.091774 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
8192 <mss 1460> (DF) (ttl 17, id 16384)
...
00:50:49.093137 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
8192 <mss 1460> (DF) [ttl 1] (id 16384)

The above pattern was repeated a total of 4 times with only the ip id
changing.
This was followed this (also repeated 4 times):

00:51:36.515153 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
win 8192 <mss 1460> (DF) (ttl 18, id 9986)
00:51:36.515310 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
win 8192 <mss 1460> (DF) (ttl 17, id 9986)
...
00:51:36.521579 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
win 8192 <mss 1460> (DF) [ttl 1] (id 9986)

and this (repeated 4 times):

00:52:24.638450 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
win 8192 <mss 1460> (DF) (ttl 18, id 14851)
00:52:24.638597 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
win 8192 <mss 1460> (DF) (ttl 17, id 14851)
...
00:52:24.640191 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
win 8192 <mss 1460> (DF) [ttl 1] (id 14851)

Also, TTL analysis shows either the source address is spoofed, or at least
that there is initial TTL trickery going on.

Don
Previous By Date Next
Previous By Thread Next

Current thread: