RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)

["Taylor, David" <ltr () nursing upenn edu>]

The fact that some of the source ip addresses are real addresses doesn't
actually mean the packet came from that address.  I'm running a LaBrea
Tarpit in hopes of sticking one of these connections and have had no luck so
far.  Half the time I get an ICMP UNREACHABLE returned from my SYN/ACK.
Sometimes I get an RST and sometimes it just disappears into thin air.

One thing that I really don't understand about this windows size thingy is
all the focus is being set just on that window size.  I'm curious if this
window size is just some kind of pre-attack probe putting zombies into
'attack mode' where they would then listen for say window size of 60000 to
launch the attack or telling it to arm itself and opening up a port for
further instructions.  Who knows. One thing that is for certain though, for
the trojan/whatever to get planted in the first place it has to be done via
exploitable means via conventional methods such as netbios exploitation,
email attachments, etc.

I'm currently filtering out common worm ports on my tarpit in hopes of
identifying other anomalies that don't fit into the normal weird categories.
If I come up with anything I'll let everyone know.

Dave 

-----Original Message-----
From: Anders Reed Mohn [mailto:anders_rm () utepils com] 
Sent: Tuesday, June 17, 2003 6:29 AM
To: incidents () securityfocus com
Subject: Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log
file...)


Forgive me if this just ends up in a stupid question, but having watched
this thread for a while now, it strikes me 
as odd that noone has been able to trace the origin of any 
of these packets yet.
These packets are now widely known (and have been 
discussed on other lists, in the news etc, as well), and there 
are quite a few network admins aware of this.

Is it not possible for a few to get together and track down at 
least _one_ source computer?

It seems to me that you are all putting a awful lot of effort in logging and
tracking and making statistics. This is of course a good thing, but if we
want to figure this thing out, there's more that need to be done.

I know.. spoofed addresses.. but that
does not mean we cannot trace packets to a certain extent.
A shitty job, but unfortunately the only way of going about this, if we want
to track it down for real. Also, it seems from some posters that not all
sources are spoofed.

Are you guys talking to your ISP's about this? I am sure the average ISP has
at least one techhead that would be interested in digging a little in this,
and I am guessing that several ISPs read this list as well. I'm not
currently working as a network admin, so I'm not in a position to do much
hunting in logs myself, unfortunately.
 
So, what's happenin' dudes? Can we mount a common effort to track 
this down?
Any ISP techs reading this, who sees these packets coming out from their
networks? Do you contact the "offenders"?

Cheers,
Anders :)

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------