Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

[Mike <mike () rockynet com>]

Fabio Panigatti wrote:

> Well... it's also likely that my host isn't really a node of the trojan/bot
> net but that was erroneusly inserted in some ip adresses database.

I am monitoring a fallow /21, at least 50% of which has never been 
routed by us and quite possibly never in use on the Internet at all. It 
is receiving large amounts of this traffic. I believe, from what I am 
seeing, that the destination hosts are randomly chosen.

I dumped a very small excerpt of some of the traffic here, grouped by 
destination address:

http://multiversity.net/55808.html

Interesting to note the seq id #'s are unique per target host, but 
persistently the same across multiple probes. Why is the source of this 
bothering to spend CPU cycles generating a unique seq #? (possibly to 
minimize the number of points at which it can be filtered? or is it 
truly random, vs. a hash of other characteristics?)

Also interesting to note that some IPs are hit multiple times in my 
sample period, while others received none. I.E. in an hour, I might see 
3-4 targets in a given /24, but each receives 2-10 hits.

One alternative to the trojan theory, is that this is some type of 
one-to-many TCP/IP steganography, where the recipients' IP addresses are 
unknown, ala:
http://www.firstmonday.dk/issues/issue2_5/rowland/




----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------