Snort mailing list archives

Re: BAD TRAFFIC data in TCP SYN packet

From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Mon, 14 Jan 2002 13:16:46 -0500



I saw this especially with Microsoft's DNS Servers when people inside the net
here are trying to download updates.

Just FYI.

All the best,
Tudor








Matt Kettler <mkettler () evi-inc com> on 01/14/2002 12:08:21 PM
                                                              
                                                              
                                                              
  To:          Lars J


ørgensen IT <Lars.Jorgensen () pol dk>      
                                                              
  cc:          snort-users () lists sourceforge net(bcc: Tudor   
               Panaitescu/ColorconUS)                         
                                                              
                                                              
                                                              
  Subject      Re: [Snort-users] BAD TRAFFIC data in TCP SYN  
  :            packet


Well, the port 29291 is just a random local port.. This is a syn packet
remember, so the service being used is on destination end, and is port 53
(dns).

so, 207.46.106.84 has decided that 172.40.20.235 might be a dns server, and
has attempted to connect to it via TCP (it is unusual, but legal for a DNS
server to be contacted via tcp instead of UDP).

I've seen some similar traffic myself from a pair of DNS servers directed
at the local DNS server here.. the TCP syn packets contain several bytes of
data which are all 00's. It is strange (AFAIK it is not legal to send data
with a syn packet.. you haven't negotiated a connection yet), but it
appears to be an artifact of a buggy tcp/ip implementation.. Or who knows,
it may be an artifact of some obscure, buggy worm  or scanning tool that
looks at DNS servers and uses raw sockets instead of the local TCP/IP
stack. Even if it is from some obscure hacking tool, the syn packets
themselves appear harmless.


At 07:39 AM 1/14/2002 +0100, you wrote:

Hi!

I get a lot of

01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
[**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291
-> 172.40.20.235:53

172.40.20.235 is my DNS server, but why would clients put data in the syn
packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED",
so I can't find out who's doing this. It comes from a limited number of
addresses, they all seem to be 207.xx.xxx.xxx.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
  - Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
  - Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
    - Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
  - Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
    - Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
  - RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)
    - RE: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 15)