Security Incidents mailing list archives

Re: Very Strange Attack

From: "Benninghoff, John" <JaBenninghoff () DAINRAUSCHER COM>
Date: Wed, 7 Feb 2001 16:24:23 -0600

I believe this question has been posted to the list before, and it appears
that it is the result of a corrupt network device (possibly a Nortel CVX)
that removes the entire TCP header, but leaves the TCP data intact.

the first 4 bytes of the data portion in hex are 47 45 54 20 = "GET ".
However, these 4 bytes are where the TCP source and destination port should
be, so they get interpreted as tcp source port 4745 = 18245, dest port 5420
= 21536.

My network logs show a client connecting to our website, sending a corrupt
packet with the TCP header "missing", with "GET " 18245 > 21536. The next
packet they send is a proper request "GET" directed at tcp port 80 of our
web server. I'd expect you'd see something similar.

-----Original Message-----
From: Mendoza, Luis [mailto:luis.mendoza () ATTLA COM]
Sent: Wednesday, February 07, 2001 9:23 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Very Strange Attack
Importance: High


Hi everybody,

I had received this traffic from Internet, in all cases the destinations
port are not well-known but are the same (TCP:21536) and the source port
idem (TCP:18245)

Is this traffic associated to some kind of attack or anything else?

Thanks

Luis Mendoza

Feb  3 15:11:58 66.50.24.49:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 15:12:02 66.50.24.49:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 15:12:05 66.50.24.49:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
RESERVEDBITS

Feb  3 18:44:15 63.91.226.239:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 18:44:19 63.91.226.239:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 18:44:22 63.91.226.239:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
RESERVEDBITS
Feb  3 18:44:26 63.91.226.239:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS

Feb  3 21:37:07 63.91.227.90:18245 -> a.b.c.44:21536 VECNA *******U
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  3 21:37:11 63.91.227.90:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS
Feb  3 21:37:14 63.91.227.90:18245 -> a.b.c.44:21536 INVALIDACK 2***R*AU
RESERVEDBITS
Feb  3 21:37:18 63.91.227.90:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS

Feb  4 22:06:13 66.50.25.19:18245 -> a.b.c.44:21536 VECNA *******U
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 NOACK 2*SFRP*U
RESERVEDBITS
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 VECNA 2****P*U
RESERVEDBITS
Feb  4 22:06:16 66.50.25.19:18245 -> a.b.c.44:21536 XMAS 2**F*P*U
RESERVEDBITS

Current thread:

Very Strange Attack Mendoza, Luis (Feb 07)
- Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
  - Re: Very Strange Attack Fernando Cardoso (Feb 07)
    - Re: Very Strange Attack Osvaldo J. Filho (Feb 07)
- <Possible follow-ups>
- Re: Very Strange Attack Benninghoff, John (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 07)
- Re: Very Strange Attack Fulton L. Preston Jr. (Feb 09)
- Re: Very Strange Attack Mendoza, Luis (Feb 10)