RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)

[Andy Streule <andy.streule () lythamhigh lancs sch uk>]

according to 

http://www.eweek.com/article2/0,3959,1132268,00.asp

the packets are being generated by a distributed network mapping tool called
Stumbler.

"Researchers at Internet Security Systems Inc. say the culprit, which was
first thought to be a new breed of Trojan, is actually a distributed network
mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent
is not considered malicious right now because it contains no payload, but it
has the potential to generate enough IP traffic to hamper network
performance. "

"Stumbler scans random ports on random machines, each time sending an
initial SYN packet. One of the few identifiable characteristics of the
program is a window size of 55808 on each of the packets it transmits. It
also spoofs the originating IP address on all of the packets, making them
look as if they're coming from machines in unallocated name space. The
window size led some to speculate that the malware was related to the Randex
IRC bot, but experts now say the TCP window size is coincidental. "

~browolf
www.security-forums.com






----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------