Security Incidents mailing list archives

Strange TCP RSTs

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 30 Jan 2001 18:25:35 -0800
I see a lot of these,

  Jan 30 06:46:40 205.188.144.231:80 -> aaa.bbb.cc0.164:1884 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 07:09:29 207.200.89.40:80 -> aaa.bbb.cc3.223:2756 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 07:14:33 207.200.89.225:80 -> aaa.bbb.cc3.223:2770 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:34:47 205.188.144.232:80 -> aaa.bbb.cc1.62:1057 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:36:21 205.188.144.231:80 -> aaa.bbb.cc2.17:50150 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 10:41:37 205.188.144.231:80 -> aaa.bbb.cc2.17:50184 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:09:16 205.188.144.231:80 -> aaa.bbb.cc3.99:1354 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:15:15 205.188.144.232:80 -> aaa.bbb.cc2.84:37740 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:17:14 207.200.89.225:80 -> aaa.bbb.cc1.206:1437 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 11:26:50 205.188.144.231:80 -> aaa.bbb.cc3.99:1369 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:43:24 207.200.89.40:80 -> aaa.bbb.cc0.88:4357 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:46:58 205.188.144.231:80 -> aaa.bbb.cc2.84:37818 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 12:57:30 205.188.144.232:80 -> aaa.bbb.cc3.99:1644 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:10:04 205.188.144.232:80 -> aaa.bbb.cc3.99:1671 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:14:45 205.188.144.232:80 -> aaa.bbb.cc2.17:50915 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:17:00 205.188.144.231:80 -> aaa.bbb.cc2.84:37867 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 13:18:56 205.188.144.241:80 -> aaa.bbb.cc4.25:1051 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 14:39:46 207.200.89.40:80 -> aaa.bbb.cc3.223:3304 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 15:45:33 205.188.144.232:80 -> aaa.bbb.cc2.84:37910 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 15:51:54 205.188.144.231:80 -> aaa.bbb.cc4.240:2321 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:15:35 205.188.144.232:80 -> aaa.bbb.cc2.84:37921 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:30:37 205.188.144.232:80 -> aaa.bbb.cc4.240:2351 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 16:45:37 205.188.144.232:80 -> aaa.bbb.cc2.84:37960 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 17:15:38 205.188.144.232:80 -> aaa.bbb.cc2.84:37982 UNKNOWN 1****R** RESERVEDBITS
  Jan 30 17:45:38 205.188.144.231:80 -> aaa.bbb.cc2.84:37997 UNKNOWN 1****R** RESERVEDBITS

These are "portscan" logs from Snort. It is triggering on the presence
of a "reserved"-bit being set in the TCP flags. That is what I have
so far today. I get a pretty steady stream of these.

Those are all HTTP connections to some fairly well known servers,

  Name:    ncmail.mcom.com
  Address:  205.188.144.231

  Name:    ncmail.mcom.com
  Address:  205.188.144.232

  Name:    mailredirect.mcom.com
  Address:  205.188.144.241

  Name:    home-v2.websys.aol.com
  Address:  207.200.89.225

  Name:    myvip-a.netscape.com
  Address:  207.200.89.40

I checked a few of them with Netcraft and all of the ones I tried came
back as Netscape Enterprise 4.1 on Solaris.

My first thought was ECN (RFC2481). However, having finally dug in and
read that thing (pass the no-doze, please), that is clearly not the
case. Upon closer inspection these packets were not part of a connection
that had established ECN. (I have packet logs too, but will not go into
the ECN analysis here.) Even if they were, I don't think a CWR flag on
a RST packet is meaningful or allowed by ECN (nor is ECT set in the IP
TOS in case you were wondering).

Can anyone identify this pattern?
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
Current thread:

Strange TCP RSTs Crist Clark (Jan 30)
- Re: Strange TCP RSTs Russell Fulton (Jan 31)
  - Re: Strange TCP RSTs Crist Clark (Jan 31)