Re: more weird traceroutes

[securityguru () HOTMAIL COM (Security Guru)]

Normally, you don't see decreasing TTL's in a scan for proxies.  I think the
original assessment is correct - a traceroute disguised as a proxy scan.
The other clue is that the target address is constant.  Typically I see
about 2-4 packets per target on a scan.

> From: Chad Thunberg <chadth () OBFUSTECH COM>
> Reply-To: Chad Thunberg <chadth () OBFUSTECH COM>
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: more weird traceroutes
> Date: Tue, 2 May 2000 15:09:17 -0700
>
> these aren't traceroutes, they are scans for proxies.
>
> -Chad
>
> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Donald McLachlan
> Sent: Tuesday, May 02, 2000 6:51 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: more weird traceroutes
>
>
> How about this.  A traceroute (sort of) masquarading as RingZero!
> It started with this:
>
> 00:50:49.091588 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
> 8192 <mss 1460> (DF) (ttl 18, id 16384)
> 00:50:49.091774 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
> 8192 <mss 1460> (DF) (ttl 17, id 16384)
> ...
> 00:50:49.093137 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win
> 8192 <mss 1460> (DF) [ttl 1] (id 16384)
>
> The above pattern was repeated a total of 4 times with only the ip id
> changing.
> This was followed this (also repeated 4 times):
>
> 00:51:36.515153 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
> win 8192 <mss 1460> (DF) (ttl 18, id 9986)
> 00:51:36.515310 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
> win 8192 <mss 1460> (DF) (ttl 17, id 9986)
> ...
> 00:51:36.521579 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0)
> win 8192 <mss 1460> (DF) [ttl 1] (id 9986)
>
> and this (repeated 4 times):
>
> 00:52:24.638450 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
> win 8192 <mss 1460> (DF) (ttl 18, id 14851)
> 00:52:24.638597 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
> win 8192 <mss 1460> (DF) (ttl 17, id 14851)
> ...
> 00:52:24.640191 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0)
> win 8192 <mss 1460> (DF) [ttl 1] (id 14851)
>
> Also, TTL analysis shows either the source address is spoofed, or at least
> that there is initial TTL trickery going on.
>
> Don

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com