Security Incidents mailing list archives

Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

From: Ken Eichman <keichman () cas org>
Date: Thu, 12 Jun 2003 13:28:54 -0400 (EDT)

Following up on the '"odd" TCP SYN packets with winsize 55808' thread,
here's a chart of the growth in volume of this traffic seen at my /16.
I've seen very little discussion about it although I did run across
the following news article.
http://www.gcn.com/vol1_no1/daily-updates/22371-1.html

It's hard to get an exact count of the traffic, but these numbers should
be very close. This is the daily unique count of each category; unique
number of packets (hits), number of unique source IP addresses, unique
source ports, etc. seen here each 24-hour GMT period.

Date    Hits SrcIP SrcPort DstIP DstPort Seq#
----    ---- ----- ------- ----- ------- ----
0516       0     0      0      0      0     0
0517     235   188    212    230    229   230
0518     128   114    113    121    121   121
0519     146    87    108    119    112   129
0520     251   194    191    214    213   215
0521     343   259    251    290    291   291
0522     439   245    239    279    278   301
0523     774   414    438    479    479   486
0524     760   397    446    467    467   476
0525     651   406    414    413    411   414
0526    1408   581    613    622    620   632
0527    2351   622    657    703    700   719
0528    3826   643    872    900    884   941
0529    5573   663   1047   1099   1092  1118
0530    5966   688    981   1072   1067  1100
0531    5659   685    859    940    938   998
0601    7806   751   1219   1247   1231  1304
0602   10508   816   1453   1410   1410  1593
0603   15676  1061   2295   1751   1735  2261
0604   20914  1027   2265   1665   1659  2342
0605   32168  1207   3155   1832   1822  3200
0606   38958  1239   3451   1885   1853  3155
0607   39596  1265   3691   1862   1841  2679
0608   37017  1215   2895   1833   1815  1941
0609   45924  1419   3567   1879   1874  2915
0610   50507  1435   3353   1889   1875  3152
0611   64757  1842   3889   1910   1885  3295
0612*  28511  1229   2321   1799   1779  2296

* - 11 hours of activity only

I don't know what, if anything these numbers show, other than an increase
in traffic volume. Hard to say if it means the number of compromised hosts
is increasing, although that might be a logical conclusion.

Best I can determine, this traffic apparently first showed up here at 00:05
GMT on May 17. Most (all?) of it is spoofed, with many one-to-one source IP
probers, eg:

Date       Time     TCP Seq# Source Address  Port     Target Address Port
06/12/2003 10:23:24 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 10:42:20 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 10:42:42 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 10:54:54 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 11:12:22 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 11:17:52 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 11:33:25 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 11:35:44 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829
06/12/2003 11:42:51 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829

And many one-to-many source IP probers, eg:

Date       Time     TCP Seq# Source Address  Port Target Address Port
06/12/2003 09:05:35 445A0CF0 210.170.253.17  0 -> XX.XX.2.39  44594
06/12/2003 09:11:21 5E078280 210.170.253.17  0 -> XX.XX.46.76 43927
06/12/2003 09:16:09  7D20203 210.170.253.17  0 -> XX.XX.158.85  45429
06/12/2003 09:22:02 9C214347 210.170.253.17  0 -> XX.XX.157.178 61118
06/12/2003 09:22:06 B311B137 210.170.253.17  0 -> XX.XX.77.25 3845
06/12/2003 09:24:14 9071F12D 210.170.253.17  0 -> XX.XX.80.242  60371
06/12/2003 09:24:28  98D3B2D 210.170.253.17  0 -> XX.XX.39.4  41641
06/12/2003 09:24:50 80CBE480 210.170.253.17  0 -> XX.XX.75.135  23663
06/12/2003 09:25:02 DBD4FD0F 210.170.253.17  0 -> XX.XX.13.150  33728

With occasional overlap:

Date       Time     TCP Seq# Source Address  Port Target Address Port
06/12/2003 06:14:31 EC03F241 210.170.253.17  0 -> XX.XX.88.74 40829

All of the packets have had nothing in the data field so I can't say much
more other than these statistical header numbers. I do agree with a previous
poster though who said something appears to be happening under our noses..

Ken Eichman                 Senior Scientist
Chemical Abstracts Service  IT Information Security
2540 Olentangy River Road   614-447-3600 ext. 3230
Columbus, OH 43210          keichman () cas org

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Ken Eichman (Jun 12)
- Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Fabio Panigatti (Jun 13)
  - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Mike (Jun 16)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Anders Reed Mohn (Jun 17)
    - RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Jim Butterworth (Jun 18)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Michael H. Warfield (Jun 18)
    - Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) exon (Jun 18)