Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

["Michael H. Warfield" <mhw () wittsend com>]

On Tue, Jun 17, 2003 at 08:06:07PM -0700, Jim Butterworth wrote:
> Has anyone previously posted a verbose packet capture that, in hex, that
> would allow for some analysis?
> r/Jim Butterworth
> SANS GCIA

        There's not a lot to analyze.  It's a basic SYN packet with a
TCP window size of 55808 (0xDA00) and with a TCP Option WSS Window Size
Scaling 2.  Source and destination ports seem pretty much random but
consistent (same port to same address).  I don't know that I've noticed
any below destination port 1024, it may be deliberately avoiding the well
know ports.  Source address seems to be almost always spoofed from
unallocated address space and I'm seeing little or no backscatter
(RST, SYN-ACK, or ICMP UNREACHABLE) which could be attributed to this,
so it's not using any of my addresses for spoofed source addresses.

> -----Original Message-----
> From: Anders Reed Mohn [mailto:anders_rm () utepils com] 
> Sent: Tuesday, June 17, 2003 3:29 AM
> To: incidents () securityfocus com
> Subject: Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log
> file...)
>
> Forgive me if this just ends up in a stupid question, but
> having watched this thread for a while now, it strikes me 
> as odd that noone has been able to trace the origin of any 
> of these packets yet.
> These packets are now widely known (and have been 
> discussed on other lists, in the news etc, as well), and there 
> are quite a few network admins aware of this.
>
> Is it not possible for a few to get together and track down at 
> least _one_ source computer?
>
> It seems to me that you are all putting a awful lot of effort in logging
> and tracking and making statistics.
> This is of course a good thing, but if we want to figure this thing out,
> there's more that need to be done.
>
> I know.. spoofed addresses.. but that
> does not mean we cannot trace packets to a certain extent.
> A shitty job, but unfortunately the only way of going about this, if
> we want to track it down for real.
> Also, it seems from some posters that not all sources are spoofed.
>
> Are you guys talking to your ISP's about this? I am sure the average
> ISP has at least one techhead that would be interested in digging a
> little
> in this, and I am guessing that several ISPs read this list as well.
> I'm not currently working as a network admin, so I'm not in a position
> to do much hunting in logs myself, unfortunately.
>  
> So, what's happenin' dudes? Can we mount a common effort to track 
> this down?
> Any ISP techs reading this, who sees these packets coming out from their
> networks? Do you contact the "offenders"?
>
> Cheers,
> Anders :)
>
> ------------------------------------------------------------------------
> ----
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
> the 
> world's premier technical IT security event! 10 tracks, 15 training
> sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from
> CSO's to 
> "underground" security specialists.  See for yourself what the buzz is
> about!  
> Early-bird registration ends July 3.  This event will sell out.
> www.blackhat.com
> ------------------------------------------------------------------------
> ----
>
>
>
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: _bin
Description: