nanog mailing list archives

Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system

From: John Kristoff <jtk () cymru com>
Date: Sun, 27 Jun 2010 21:32:41 -0500

On Sun, 27 Jun 2010 17:22:51 -0400 (EDT)
khatfield () socllc net wrote:

Here is an example report we received from AT&T:
04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP]
(total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26)
(USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP]
(total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09)
(USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP]


This looks like the trademark signature of back scatter as a result of
someone using the juno.c or derivative code to SYN flood a host.  You
are most likely getting this traffic from a host that is getting
attacked.  In the junos.c code you'll see this:

     syn->sport           = htons(1024 + (random() & 2048));

A random number is ANDed against 2048, the result is then added to
1024.  What will be added is always either 0 or 2048, because 2048 has
only one bit set.  1024 + 2048 = 3072.  Therefore, syn-sport will only
ever equal 1024 or 3072.  Or in your case, it shows up as the dport on
the way back.

John

Current thread:

Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system khatfield (Jun 27)
- Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system Matt Hite (Jun 27)
  - Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system khatfield (Jun 27)
- Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system John Kristoff (Jun 27)