Security Incidents mailing list archives
Re: DOD Inside
From: Peter Kosinar <goober () ksp sk>
Date: Sun, 9 Apr 2006 05:01:46 +0200 (CEST)
Hello,
Tue, 2006-03-28 05:20:52 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] Tue, 2006-03-28 11:22:41 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 17:25:53 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1033 - [DOS] Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1034 - [DOS] Tue, 2006-03-28 21:56:20 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Tue, 2006-03-28 23:28:43 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1027 - [DOS] Wed, 2006-03-29 09:58:11 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1035 - [DOS] Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,139 - [DOS] Wed, 2006-03-29 11:30:32 - UDP Packet - Source:7.12.12.16,13364 Destination:xx.xx.xx.xx,1031 - [DOS]
Finding the true origin of these packets might be easier if you provided a little more information. For example, are these the complete logs or just a part of them? Do you have logs of the actual packet contents or just these logs of the communication endpoints? What kind of a network is that router on (e.g. is it a border-router of a company, or a home network, ...)? Does it perform some kind of NAT for an internal network or is it just a simple switch-like router? If the router is on the border of a bigger network, were these packets captured at the external or the internal interface?
Now, here are a few of my _crazy_ speculations... One remarkable fact about those packets is that the source port number is equal to 0x3434 (maybe some kind of weird application which has overwritten its own data?) in all cases and the destination port numbers were always quite near the 1024 boundary; except for one case, when it was port 139 (looks pretty much like MS Windows, doesn't it?). Couldn't it have been some kind of messenger going wild?
Based on the very low packet rate, my first guess is that somebody is doing an 'nmap idle scan' of your box (and they specified the 'stealth' mode that takes multiple days to do the scan to fly under the wire of most rate-based IDS triggers).
I may be wrong, but doesn't IPID idle scan work only for TCP connections/ports?
Just my 0.02 Euro, Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
Current thread:
- Re: DOD Inside mailcentre2 (Apr 07)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)
- Re: DOD Inside Peter Kosinar (Apr 09)
- Re: DOD Inside Frank Knobbe (Apr 10)
- Re: DOD Inside Jamie Riden (Apr 10)
- Re: DOD Inside Valdis . Kletnieks (Apr 07)