Security Incidents mailing list archives
Re: DOD Inside
From: Valdis.Kletnieks () vt edu
Date: Sat, 08 Apr 2006 00:08:27 -0400
On Sat, 08 Apr 2006 02:18:40 -0000, mailcentre2 () gmail com said:
My router logs from the 28-03-2006 show a very strange sequence of port attempts. Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1034 - [DOS] Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1027 - [DOS] Wed, 2006-03-29 09:58:11 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,139 - [DOS] Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1031 - [DOS]
Obviously this is not correct, but strange that the source IP should be masquerading as a DoD IP.
Based on the very low packet rate, my first guess is that somebody is doing an 'nmap idle scan' of your box (and they specified the 'stealth' mode that takes multiple days to do the scan to fly under the wire of most rate-based IDS triggers).
From the nmap man page:
-sI <zombie host[:probeport]> Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the tar- get from your real IP address). Instead, a unique side-channel attack exploits predictable "IP fragmentation ID" sequence gen- eration on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as com- ing from the zombie machine you specify (which must be up and meet certain criteria). I wrote an informal paper about this technique at http://www.insecure.org/nmap/idlescan.html . Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust rela- tionships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scan- ning a target using various zombies that you think might be trusted (via router/packet filter rules). Obviously this is crucial information when prioritizing attack targets. Other- wise, you penetration testers might have to expend considerable resources "owning" an intermediate system, only to find out that its IP isn't even trusted by the target host/network you are ultimately after.
Attachment:
_bin
Description:
Current thread:
- Re: DOD Inside mailcentre2 (Apr 07)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)
- Re: DOD Inside Peter Kosinar (Apr 09)
- Re: DOD Inside Frank Knobbe (Apr 10)
- Re: DOD Inside Jamie Riden (Apr 10)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)