Security Incidents mailing list archives
Strange TCP RSTs
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 30 Jan 2001 18:25:35 -0800
I see a lot of these, Jan 30 06:46:40 205.188.144.231:80 -> aaa.bbb.cc0.164:1884 UNKNOWN 1****R** RESERVEDBITS Jan 30 07:09:29 207.200.89.40:80 -> aaa.bbb.cc3.223:2756 UNKNOWN 1****R** RESERVEDBITS Jan 30 07:14:33 207.200.89.225:80 -> aaa.bbb.cc3.223:2770 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:34:47 205.188.144.232:80 -> aaa.bbb.cc1.62:1057 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:36:21 205.188.144.231:80 -> aaa.bbb.cc2.17:50150 UNKNOWN 1****R** RESERVEDBITS Jan 30 10:41:37 205.188.144.231:80 -> aaa.bbb.cc2.17:50184 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:09:16 205.188.144.231:80 -> aaa.bbb.cc3.99:1354 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:15:15 205.188.144.232:80 -> aaa.bbb.cc2.84:37740 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:17:14 207.200.89.225:80 -> aaa.bbb.cc1.206:1437 UNKNOWN 1****R** RESERVEDBITS Jan 30 11:26:50 205.188.144.231:80 -> aaa.bbb.cc3.99:1369 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:43:24 207.200.89.40:80 -> aaa.bbb.cc0.88:4357 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:46:58 205.188.144.231:80 -> aaa.bbb.cc2.84:37818 UNKNOWN 1****R** RESERVEDBITS Jan 30 12:57:30 205.188.144.232:80 -> aaa.bbb.cc3.99:1644 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:10:04 205.188.144.232:80 -> aaa.bbb.cc3.99:1671 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:14:45 205.188.144.232:80 -> aaa.bbb.cc2.17:50915 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:17:00 205.188.144.231:80 -> aaa.bbb.cc2.84:37867 UNKNOWN 1****R** RESERVEDBITS Jan 30 13:18:56 205.188.144.241:80 -> aaa.bbb.cc4.25:1051 UNKNOWN 1****R** RESERVEDBITS Jan 30 14:39:46 207.200.89.40:80 -> aaa.bbb.cc3.223:3304 UNKNOWN 1****R** RESERVEDBITS Jan 30 15:45:33 205.188.144.232:80 -> aaa.bbb.cc2.84:37910 UNKNOWN 1****R** RESERVEDBITS Jan 30 15:51:54 205.188.144.231:80 -> aaa.bbb.cc4.240:2321 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:15:35 205.188.144.232:80 -> aaa.bbb.cc2.84:37921 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:30:37 205.188.144.232:80 -> aaa.bbb.cc4.240:2351 UNKNOWN 1****R** RESERVEDBITS Jan 30 16:45:37 205.188.144.232:80 -> aaa.bbb.cc2.84:37960 UNKNOWN 1****R** RESERVEDBITS Jan 30 17:15:38 205.188.144.232:80 -> aaa.bbb.cc2.84:37982 UNKNOWN 1****R** RESERVEDBITS Jan 30 17:45:38 205.188.144.231:80 -> aaa.bbb.cc2.84:37997 UNKNOWN 1****R** RESERVEDBITS These are "portscan" logs from Snort. It is triggering on the presence of a "reserved"-bit being set in the TCP flags. That is what I have so far today. I get a pretty steady stream of these. Those are all HTTP connections to some fairly well known servers, Name: ncmail.mcom.com Address: 205.188.144.231 Name: ncmail.mcom.com Address: 205.188.144.232 Name: mailredirect.mcom.com Address: 205.188.144.241 Name: home-v2.websys.aol.com Address: 207.200.89.225 Name: myvip-a.netscape.com Address: 207.200.89.40 I checked a few of them with Netcraft and all of the ones I tried came back as Netscape Enterprise 4.1 on Solaris. My first thought was ECN (RFC2481). However, having finally dug in and read that thing (pass the no-doze, please), that is clearly not the case. Upon closer inspection these packets were not part of a connection that had established ECN. (I have packet logs too, but will not go into the ECN analysis here.) Even if they were, I don't think a CWR flag on a RST packet is meaningful or allowed by ECN (nor is ECT set in the IP TOS in case you were wondering). Can anyone identify this pattern? -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P.
Current thread:
- Strange TCP RSTs Crist Clark (Jan 30)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)
- Re: Strange TCP RSTs Crist Clark (Jan 31)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)