Security Incidents mailing list archives
Re: Very Strange Attack
From: "Benninghoff, John" <JaBenninghoff () DAINRAUSCHER COM>
Date: Wed, 7 Feb 2001 16:24:23 -0600
I believe this question has been posted to the list before, and it appears that it is the result of a corrupt network device (possibly a Nortel CVX) that removes the entire TCP header, but leaves the TCP data intact. the first 4 bytes of the data portion in hex are 47 45 54 20 = "GET ". However, these 4 bytes are where the TCP source and destination port should be, so they get interpreted as tcp source port 4745 = 18245, dest port 5420 = 21536. My network logs show a client connecting to our website, sending a corrupt packet with the TCP header "missing", with "GET " 18245 > 21536. The next packet they send is a proper request "GET" directed at tcp port 80 of our web server. I'd expect you'd see something similar. -----Original Message----- From: Mendoza, Luis [mailto:luis.mendoza () ATTLA COM] Sent: Wednesday, February 07, 2001 9:23 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Very Strange Attack Importance: High Hi everybody, I had received this traffic from Internet, in all cases the destinations port are not well-known but are the same (TCP:21536) and the source port idem (TCP:18245) Is this traffic associated to some kind of attack or anything else? Thanks Luis Mendoza Feb 3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS Feb 3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU RESERVEDBITS Feb 3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U RESERVEDBITS Feb 4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U RESERVEDBITS
Current thread:
- Very Strange Attack Mendoza, Luis (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- Re: Very Strange Attack Fernando Cardoso (Feb 07)
- <Possible follow-ups>
- Re: Very Strange Attack Benninghoff, John (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 09)
- Re: Very Strange Attack Mendoza, Luis (Feb 10)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)