Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

port 17300 probe fingerprint analysis

From: "Royans Tharakan" <RTharakan () ingenuity com>
Date: Mon, 17 Feb 2003 20:00:31 -0800
We have all been looking for activity on 17300. I have a honeypot running on this port
which promptly ACKed back on that port. The probe promptly returned within 10 seconds 
with a second probe.

Its common to get RSTs back from attacking host, which we in the intrusion 
community have been dismissing as responses from spoofed address. However I did have
a second TCP probe from the same server which throws that idea away.

Its normal for most OS to send an RST on a SYN-ACKs which is not initiated by it 
(or if the SYN is crafted by a tool running on it), so I was tempted to say that 
RST here was generated by the source host after I sent  the SYN-ACK of the first 
packet. But the fingerprint of the second probe doesn't match the RST of the first 
probe, leading me to believe that this was either generated  by its firewall, or 
by the tool itself to force our logs to believe that this was a reply from spoofed 
address. 

There are significant fingerprinting differences between the first probe and second probe. 
Its easy to figure out that the first probe is actually crafted, but the difference between
first and second packet of the first probe can uniquely fingerprint this tool anywhere else
on the internet. The TTL differs by 11 hops... and I'm tempted to bet that this could be bug in
this attacking tool.

BTW, can someone tell me the importance of "Window Scale=0" ?

Here is some more info... and the packet dump itself.

1. TTL changes from 113 to 244 between a Syn and a Rset in the first probe
2. IP ID is very different between Syn and RST of the first probe.
3. However IPID is sequential in the second probe
4. The remote site ACKs my SYN-ACK and waits for reply from the victim host.
5. Fingerprint of first probe 
        Window size of the first packet is 0xC23C
        TTL 113,244 (+11 is the hops I counted to that system) = 124,255
        IPID is random (or 2 different systems, or crafted)
6. Fingerprints of second probe
        window size of the second packet is 0x7D78
        TTL 53 (11 is the hops I counted to that system) = 64
        SACKOK
        TS 317697848
        WS 0 

-----Original Message-----


---------------
01:58:53.790082 204.42.204.151.17300 > 24.219.XX.XX.17300: S [tcp sum ok] 490674844:490674844(0) win 49724 (ttl 113, id 
21549, len 40)
                 4500 0028 542d 0000 7106 39ae cc2a cc97
                 18db XXXX 4394 4394 1d3f 1a9c 0da5 8c9f
                 5002 c23c d868 0000 0000 0000 0000
01:58:53.798301 24.219.XX.XX.17300 > 204.42.204.151.17300: S [tcp sum ok] 0:0(0) ack 490674845 win 65535 (DF) [tos 
0x10]  (ttl 64, id 0, len 40)
                 4510 0028 0000 4000 4006 7ecb 18db XXXX
                 cc2a cc97 4394 4394 0000 0000 1d3f 1a9d
                 5012 ffff 34d9 0000
01:58:53.908607 204.42.204.151.17300 > 24.219.XX.XX.17300: R [tcp sum ok] 490674845:490674845(0) win 0 (ttl 244, id 
48833, len 40)
                 4500 0028 bec1 0000 f406 4c19 cc2a cc97
                 18db XXXX 4394 4394 1d3f 1a9d 0000 0000
                 5004 0000 34e7 0000 0000 0000 0000
01:59:04.012423 204.42.204.151.2195 > 24.219.XX.XX.17300: S [tcp sum ok] 31094744:31094744(0) win 32120 <mss 
1460,sackOK,timestamp 317697848 0,nop,wscale 0> (DF) (ttl 53, id 49933, len 60)
                 4500 003c c30d 4000 3506 c6b9 cc2a cc97
                 18db XXXX 0893 4394 01da 77d8 0000 0000
                 a002 7d78 8698 0000 0204 05b4 0402 080a
                 12ef af38 0000 0000 0103 0300
01:59:04.019866 24.219.XX.XX.17300 > 204.42.204.151.2195: S [tcp sum ok] 0:0(0) ack 31094745 win 65535 (DF) [tos 0x10]  
(ttl 64, id 0, len 40)
                 4510 0028 0000 4000 4006 7ecb 18db XXXX
                 cc2a cc97 4394 0893 0000 0000 01da 77d9
                 5012 ffff 2e03 0000
01:59:04.145460 204.42.204.151.2195 > 24.219.XX.XX.17300: . [tcp sum ok] 31094745:31094745(0) ack 1 win 32120 (DF) (ttl 
53, id 49945, len 40)
                 4500 0028 c319 4000 3506 c6c1 cc2a cc97
                 18db XXXX 0893 4394 01da 77d9 0000 0001
                 5010 7d78 b08b 0000 0000 0000 0000
01:59:04.145596 24.219.XX.XX.17300 > 204.42.204.151.2195: R [tcp sum ok] 1:1(0) win 0 (DF) (ttl 64, id 0, len 40)
                 4500 0028 0000 4000 4006 7edb 18db XXXX
                 cc2a cc97 4394 0893 0000 0001 0000 0000
                 5004 0000 a7c3 0000


----+----
This email message (and any attached document) contains information from Ingenuity Systems Inc. which may be considered 
confidential by Ingenuity, or which may be privileged or otherwise exempt from disclosure under law, and is for the 
sole use of the individual or entity to whom it is addressed.  Any other dissemination, distribution or copying of this 
message is strictly prohibited.  If you receive this message in error, please notify me and destroy the attached 
message (and all attached documents) immediately. 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: