Security Incidents mailing list archives

Re: DOD Inside

From: Valdis.Kletnieks () vt edu
Date: Sat, 08 Apr 2006 00:08:27 -0400

On Sat, 08 Apr 2006 02:18:40 -0000, mailcentre2 () gmail com said:

My router logs from the 28-03-2006 show a very strange sequence of port attempts.

Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS]
Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS]
Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1034 - [DOS]
Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS]
Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1027 - [DOS]
Wed, 2006-03-29 09:58:11 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS]
Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,139 - [DOS]
Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1031 - [DOS]

Obviously this is not correct, but strange that the source IP should be masquerading as a DoD IP.


Based on the very low packet rate, my first guess is that somebody is doing an
'nmap idle scan' of your box (and they specified the 'stealth' mode that takes
multiple days to do the scan to fly under the wire of most rate-based IDS triggers).

From the nmap man page:


       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows for a truly blind TCP
              port scan of the target (meaning no packets are sent to the tar-
              get  from your real IP address).  Instead, a unique side-channel
              attack exploits predictable "IP fragmentation ID" sequence  gen-
              eration  on  the zombie host to glean information about the open
              ports on the target.  IDS systems will display the scan as  com-
              ing  from  the  zombie machine you specify (which must be up and
              meet certain criteria).  I wrote an informal  paper  about  this
              technique at http://www.insecure.org/nmap/idlescan.html .

              Besides   being  extraordinarily  stealthy  (due  to  its  blind
              nature), this scan type permits mapping out IP-based trust rela-
              tionships  between  machines.  The port listing shows open ports
              from the perspective of the zombie host.  So you can  try  scan-
              ning  a  target  using  various  zombies that you think might be
              trusted (via router/packet filter  rules).   Obviously  this  is
              crucial  information  when  prioritizing attack targets.  Other-
              wise, you penetration testers might have to expend  considerable
              resources "owning" an intermediate system, only to find out that
              its IP isn't even trusted by the  target  host/network  you  are
              ultimately after.

Attachment: _bin
Description:

Current thread:

Re: DOD Inside mailcentre2 (Apr 07)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)
  - Re: DOD Inside Peter Kosinar (Apr 09)
- Re: DOD Inside Frank Knobbe (Apr 10)
  - Re: DOD Inside Jamie Riden (Apr 10)