network mystery

[<network-questions () excite com>]

Here is the situation.  Over the weekend, some 
strange packets started showing up on my LAN.  The 
packets were captured by one of my IDS systems 
which monitor outbound traffic.  Analyzation of the 4 
packets over the weekend, revealed that 2 of them 
were generated using eEye's Retina (at least the 
payload of the packet is consistent with Retina), and 
the other 2 packets were created by Solarwinds IP 
Network Browser (again the payload of the packet 
was consistent with that of this tool).  This is not what 
is unusual.  What is unusual is that the source 
address is a public address, located in various parts 
of the world (The US, France, Belgium, etc), and not 
one of our private space addresses.  The destination 
address is always 192.168.1.70.  192.168.1.70 does 
not exist on my network (we don't use this IP scheme 
anywhere).  The reason why the outbound sensor 
detected this is because the core router is setup to 
forward all packets it doesn't have a route to, to the 
firewall and ultimately the Internet.

My network is a class B environment, but only a small 
range of hosts are on the network, roughly 1000 
devices (in the local LAN).  There are 2 other 
gateways; one of which is a WAN connection to other 
offices, and the other is a collection of various 
vendors who need access to our internal LAN for 
various reasons.  Most of the systems are running 
W2K SP2, although there are various *nix systems 
(AIX, Solaris, etc.) for various needs.  

I have set up sniffers and sensors on the various 
VLANs; including our WAN and vendor connections.  
The traffic has happened several times on Monday 
and Tuesday.  But of course not on the vlans that 
were being monitored.  Most of the traffic is 
generated between the hours of 2 am to 6:30 am, 
and then again starting about 4:30pm until about 
11pm.  However the times are not consistent, nor is 
there a discernable pattern.  The volume of the traffic 
is low.  However since the weekend, the number of 
packets that have been recorded have increased, but 
I should mention that the traffic to date over the past 4 
days has been less than 30 packets.

However, the traffic is different than what was 
recorded over the weekend.  All the traffic over the 
weekend was ICMP echo-requests.  There has only 
been 1 ICMP packet since then, and it was a plain 
vanilla ICMP packet with no payload (type 8).  All the 
other traffic recorded is TCP, with only the SYN flag 
set, and the payload is empty.  The traffic is destined 
for port 80.  The source port is random, between 
3000 and 4500. 

I have checked everything I can think of, from 
verifying the times of VPN sessions to having every 
single hard drive in the entire network scanned 
searching for either eEye or Solarwinds.  They are all 
negative.  My current pursuit is find a way to grab the 
MAC address.  At least if I have the MAC, and I can 
check each VLAN's switch and trace the machine 
back.  I am still working on this.  But, other than 
having one of the sniffers locate which VLAN the 
activity is coming from, I can think of no other choice 
available to me.  

Since I am posting this to incidents, I should state 
that there is absolutely no sign of an intrusion, of 
course, that doesn't mean much.  :)

I have tried to speculate what tool could cause this.  
Its a tool which spoofs its address (or at least 
appears to), but always has the same destination.  
So it would never expect a response to be returned to 
it (assuming its spoofed).  It generates ICMP packets, 
that are either standard vanilla packets, Solarwinds, 
or Retina.  It generates TCP packets, to port 80 only, 
but again, always to the same IP.  There are no 
payloads (other than the first 4 packets captured over 
the weekend).  And the destination address is a 
private space address which is not used anywhere 
on my network.  

The only other thoughts I have is that perhaps this is 
a malfunctioning file sharing tool (akin to Grokster, 
KaZaA, etc.)  The time of day, would be consistent 
with someone who comes into work early (and stops 
downloading), and then resumes the downloads 
when they leave for the day.  I can't confirm this yet, 
nor can I explain how and/or why a file sharing tool 
would act in this way.

Can anyone please offer some insight?  Can you 
think of anything else I can do?  Has anyone seen 
activity like this before?  Any help, as always, is 
greatly appreciated.

-md

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com