Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

ack 674719802 with a twist

From: Jack Radigan <jprad () DNB COM>
Date: Tue, 14 Nov 2000 14:08:47 -0500
Disclaimer: I'm new at this and this is my first post here.

Okay, the first thing that popped up was an oddly named host in the hourly
SHADOW summary report:
        num dests  source ip         source
name

        9          195.70.47.74
something.very.very.screwed.up.at.macroda.hu

When I ran a full-day pattern scan for this host (src or dst) I received 58
events over a 5 hour period.  I've included the first hour's output in this
message below.

From what I've read on the 'Net the synk4 is a SYN flood tool which is the
most likely cause for these ack#'s.  A message posted by Dave Dittrich has
a pretty detailed response about it:

        http://lists.insecure.org/incidents/2000/Apr/0026.html

Dave's comments and snippets of source code got me thinking because of the
randomly generated source port.  So I grabbed a copy of synk4.c from
packetstorm.  From what I can determine, the source port of the attacker
(which becomes the destination port of the spoofed host) is limited to a
range of 1001-2500.  The relevant source code (with line numbers) for this is:
35:     #define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) +
(min))

293:    max = 1500;

303:    srcport = getrandom(1, max)+1000;

Okay, so two observations jive with the code, the ack#  674719802 is in
response to the ISN of 674719801 which is hard-coded into the source code
and the spoofed destination ports are all within the 1001-2500 range.

Two things still puzzle me though.  First, the TOS field values of 0x40 and
0x60 (only one shown, several more are in the entire set of events)
indicate precedence settings that are supposedly deprecated.  Second, the
code increments the destination port number (the target's source port
number in the RST response) once for every iteration through the
loop.  But, the events received show the attacker's tool to operate in a
mode or 1, 2 or 3 consecutive SYNs (there are two instances of 4
consecutive SYNs in the complete set) with a variable time gap of about 1.5
to close to 3 seconds between each one (assuming that the target sends the
RST response with little or no delay).

Could the TOS values be explained as an artifact of the target's OS?  I'm
not sure about that because of the 0x60 values.  Also, the one shown below
is part of a set of 3 like events; same source port and destination host/port.

Or, are the TOS values, and the consecutive responses, because of slightly
modified code?  Could the attacker be trying to up the SYN flood rate by
resending the same crafted packet more than once?  If so, that 0x60 sticks out.

Finally, I've sent a request off to the contacts listed by geektools'
whois, of couse, no response yet.  So, considering the hostname, I suppose
that this could be a legitimate, if noisy, RST scan.

Any ideas?

Thanks.

-jack-

Jack Radigan
Dun & Bradstreet

01:16:35.223382 195.70.47.74.33786 > OUR.NET.3.253.2195: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 11794)
01:17:29.618985 195.70.47.74.36488 > OUR.NET.22.26.1870: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 19182)
01:20:13.422772 195.70.47.74.44845 > OUR.NET.183.19.1465: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 40663)
01:21:20.153278 195.70.47.74.48045 > OUR.NET.252.145.1465: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 49756)
01:30:21.196537 195.70.47.74.9295 > OUR.NET.115.197.1673: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 28468)
01:30:23.827116 195.70.47.74.9295 > OUR.NET.115.197.1673: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 29081)
01:42:06.136831 195.70.47.74.44581 > OUR.NET.14.50.1673: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 57974)
01:42:07.837302 195.70.47.74.44581 > OUR.NET.14.50.1673: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 58221)
01:48:27.771469 195.70.47.74.63856 > OUR.NET.229.136.2499: R 0:0(0) ack
674719802 win 0 [tos 0x60] (ttl 242, id 17916)
01:48:29.987828 195.70.47.74.63856 > OUR.NET.229.136.2499: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 18233)
01:48:32.181124 195.70.47.74.63856 > OUR.NET.229.136.2499: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 18551)
01:56:38.369848 195.70.47.74.22948 > OUR.NET.83.98.1153: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 16742)
01:56:39.625948 195.70.47.74.22948 > OUR.NET.83.98.1153: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 16938)
01:56:57.223610 195.70.47.74.23614 > OUR.NET.196.148.1178: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 19257)
01:57:00.048868 195.70.47.74.23614 > OUR.NET.196.148.1178: R 0:0(0) ack
674719802 win 0 [tos 0x40] (ttl 242, id 19623)
Previous By Date Next
Previous By Thread Next

Current thread: