Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: odd scans?

From: "Smith, Donald " <Donald.Smith () qwest com>
Date: Sun, 26 May 2002 09:23:51 -0600
Could this be a reflective DDOS?
http://www.icir.org/vern/papers/reflectors.CCR.01/index.html

Comments inline.
The main difference between that and traditional backscatter is
that would mean your being targeted. And the hosts 
that sent you these packets are being used to hide the
real attacking hosts.



-----Original Message-----
From: Bamm (Robert) Visscher [mailto:rvisscher () saball com]
Sent: Friday, May 24, 2002 2:35 PM
To: Scott, Michael R.
Cc: 'intrusions () incidents org'; 'incidents () securityfocus com'
Subject: Re: odd scans?


Mike,

Looks like you are just the innocent bystander. An unknown attacker is
most likely "spoofing" your IP in an attempt to synflood the victims
(who are sending the resets). Check out this excellent paper for more
info: http://home.satx.rr.com/bejtlich/intv2-8.html

Bammkkkk

On Fri, 2002-05-24 at 12:16, Scott, Michael R. wrote:

Anyone recognize this or have a clue what they're looking 

for (covert

channel, root shell) or what tool is responsible?  The 

source and dest ports

are almost as randomly distributed across the high range as 

the location of

the source IPs are across the globe, but notice that the 

same two ack

numbers repeat across all the source IPs.

thanks
Mike


Reset, Ack's -> a response from host with closed ports.
So I'd say that "attackers" in this case were sent a syn packet with the
port numbers reversed ie
213.114.155.74 was sent a syn on port 32320.

May 04 15:13:54.192847 213.114.155.74.10363 > 

A.B.24.105.32320: R 0:0(0) ack

2093292673 win 0

Notice that acq is the same in many of these packets!
2093292673 occurs here from several DIFFERENT machines.
That implies that those hosts were all hit
with a syn packet with an seq number 2093292672, then 
they all added 1 to that and said "I dont run that service" (ack/reset)
back to a.b.24.105.


May 10 10:32:02.907545 202.96.170.175.23132 > 

A.B.24.105.16147: R 0:0(0) ack

2119353641 win 0 (DF)
May 10 10:33:02.244385 202.96.170.175.28393 > 

A.B.24.105.27350: R 0:0(0) ack

2093292673 win 0 (DF)
May 11 17:41:25.668000 195.159.0.90.25787 > 

A.B.24.105.50026: R 0:0(0) ack

2093292673 win 0 (DF)
May 12 20:57:40.114036 195.159.0.90.17655 > 

A.B.24.105.42560: R 0:0(0) ack

2093292673 win 0 (DF) [tos 0x60]
May 13 02:43:49.277926 210.51.195.242.30405 > 

A.B.24.105.55321: R 0:0(0) ack

2093292673 win 0
May 13 02:47:42.141686 210.51.195.242.13712 > 

A.B.24.105.13470: R 0:0(0) ack

2119353641 win 0
May 13 03:08:44.392753 210.51.195.242.14624 > 

A.B.24.105.25786: R 0:0(0) ack

2119353641 win 0
May 13 03:09:02.581235 210.51.195.242.21772 > 

A.B.24.105.55043: R 0:0(0) ack

2093292673 win 0
May 13 03:14:07.108680 210.51.195.242.16260 > 

A.B.24.105.50721: R 0:0(0) ack

2093292673 win 0
May 13 03:23:01.695751 210.51.195.242.24690 > 

A.B.24.105.43529: R 0:0(0) ack

2093292673 win 0
May 13 03:30:40.841510 210.51.195.242.20326 > 

A.B.24.105.32961: R 0:0(0) ack

2119353641 win 0
May 13 03:53:25.418298 195.159.0.90.28711 > 

A.B.24.105.54951: R 0:0(0) ack

2093292673 win 0 (DF) [tos 0x60]
May 13 19:23:30.740548 202.103.196.69.5890 > 

A.B.24.105.55141: R 0:0(0) ack

2093292673 win 0
May 14 09:14:44.181069 202.108.58.52.18598 > 

A.B.24.105.19788: R 0:0(0) ack

2119353641 win 0
May 14 16:53:22.218980 195.159.0.90.14934 > 

A.B.24.105.42941: R 0:0(0) ack

2093292673 win 0 (DF) [tos 0x60]
May 14 17:00:47.116523 195.159.0.90.22228 > 

A.B.24.105.54487: R 0:0(0) ack

2093292673 win 0 (DF) [tos 0x60]
May 18 08:51:27.644959 218.1.1.158.2471 > A.B.24.105.49396: 

R 0:0(0) ack

2093292673 win 0
May 19 02:35:23.141419 202.103.196.69.32229 > 

A.B.24.105.27436: R 0:0(0) ack

2093292673 win 0
May 19 02:47:53.563776 202.103.196.61.8113 > 

A.B.24.105.32263: R 0:0(0) ack

2093292673 win 0
May 19 02:55:12.054609 202.103.196.61.14270 > 

A.B.24.105.32852: R 0:0(0) ack

2093292673 win 0
May 19 09:17:19.226250 218.1.1.158.26563 > 

A.B.24.105.35030: R 0:0(0) ack

2093292673 win 0
May 20 20:54:03.565186 211.155.241.86.4949 > 

A.B.24.105.7930: R 0:0(0) ack

2119353641 win 0
May 21 21:59:32.021667 61.139.77.80.28873 > 

A.B.24.105.36294: R 0:0(0) ack

2093292673 win 0
May 21 22:01:09.809743 61.139.77.80.16712 > 

A.B.24.105.55967: R 0:0(0) ack

2093292673 win 0
May 21 22:03:04.032252 61.139.77.80.20641 > 

A.B.24.105.24336: R 0:0(0) ack

2093292673 win 0
May 21 22:05:35.751460 61.139.77.80.23510 > 

A.B.24.105.47833: R 0:0(0) ack

2093292673 win 0
May 21 22:19:15.208975 61.139.77.80.27333 > 

A.B.24.105.33607: R 0:0(0) ack

2119353641 win 0
May 21 22:30:17.176497 61.139.77.80.7683 > 

A.B.24.105.25473: R 0:0(0) ack

2119353641 win 0
May 22 01:25:46.457981 61.139.77.80.21143 > 

A.B.24.105.34794: R 0:0(0) ack

2093292673 win 0
May 22 01:29:13.261296 61.139.77.80.17424 > 

A.B.24.105.46475: R 0:0(0) ack

2093292673 win 0
May 22 01:39:44.960026 61.139.77.80.24893 > 

A.B.24.105.12434: R 0:0(0) ack

2119353641 win 0
May 22 06:54:09.159673 61.144.236.154.23977 > 

A.B.24.105.37501: R 0:0(0) ack

2093292673 win 0
May 22 22:04:59.837793 211.144.65.118.18268 > 

A.B.24.105.32230: R 0:0(0) ack

2119353641 win 0
May 23 16:12:32.902699 32.97.166.142.23906 > 

A.B.24.105.40741: R 0:0(0) ack

2093292673 win 0 (DF) [tos 0x8]
May 24 07:27:13.613784 213.156.32.125.19650 > 

A.B.24.105.20404: R 0:0(0) ack

1702151370 win 0



--------------------------------------------------------------
--------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-- 
Bamm (Robert) Visscher
Senior Engineer, Managed Network Security Operations
Ball Aerospace & Technologies Corp.
http://www.ball.com/aerospace/index.html
rvisscher () saball com Desk: 210.734.5070 x107  Mobile: 210.240.5950 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: