Security Incidents mailing list archives
Re: more weird traceroutes
From: securityguru () HOTMAIL COM (Security Guru)
Date: Sat, 6 May 2000 07:53:35 CDT
Normally, you don't see decreasing TTL's in a scan for proxies. I think the original assessment is correct - a traceroute disguised as a proxy scan. The other clue is that the target address is constant. Typically I see about 2-4 packets per target on a scan.
From: Chad Thunberg <chadth () OBFUSTECH COM> Reply-To: Chad Thunberg <chadth () OBFUSTECH COM> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: more weird traceroutes Date: Tue, 2 May 2000 15:09:17 -0700 these aren't traceroutes, they are scans for proxies. -Chad -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Donald McLachlan Sent: Tuesday, May 02, 2000 6:51 AM To: INCIDENTS () SECURITYFOCUS COM Subject: more weird traceroutes How about this. A traceroute (sort of) masquarading as RingZero! It started with this: 00:50:49.091588 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 18, id 16384) 00:50:49.091774 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 17, id 16384) ... 00:50:49.093137 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) [ttl 1] (id 16384) The above pattern was repeated a total of 4 times with only the ip id changing. This was followed this (also repeated 4 times): 00:51:36.515153 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 18, id 9986) 00:51:36.515310 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 17, id 9986) ... 00:51:36.521579 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) [ttl 1] (id 9986) and this (repeated 4 times): 00:52:24.638450 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 18, id 14851) 00:52:24.638597 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 17, id 14851) ... 00:52:24.640191 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) [ttl 1] (id 14851) Also, TTL analysis shows either the source address is spoofed, or at least that there is initial TTL trickery going on. Don
________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Re: more weird traceroutes Security Guru (May 06)