Snort mailing list archives
Re: BAD TRAFFIC data in TCP SYN packet
From: Laurie Zirkle <lat () cns vt edu>
Date: Tue, 15 Jan 2002 07:40:10 -0500
Here's the explanation I received last year when pursuing this further: "This system is a 3DNS box from F5. It performs data center load balancing by trying to determine which data center you are closest to and routes you there. It does this through some pretty strange and intrusive ways and it looks like this box was not brought up in one of the approved configurations. Pounding port 53 is one of the intrusive things the product is know to do. I've passed it on to the folks who created that approved configuration and police the misconfigured boxes." Of course, it took repeated messages and finally blocking them to get this to stop. And this was the only "real" message about this whole mess I got back from them. I saw this on one of our nameservers from Sep 22 20:33:37 -> Oct 2 05:32:19 and on another one from Oct 24 08:02:57 -> Nov 4 21:53:26. And I noticed over this past weekend that it's started again to yet another of our nameservers. -- Laurie
From the fingers of Martin Roesch: Generally speaking, you're not supposed to send application data in the SYN packet (it's bad form to send application layer data before the connection is even established), that's what this alert is firing on. It's probably just a bad stack implementation. -Marty Matt Kettler wrote:Well, the port 29291 is just a random local port.. This is a syn packet remember, so the service being used is on destination end, and is port 53 (dns). so, 207.46.106.84 has decided that 172.40.20.235 might be a dns server, and has attempted to connect to it via TCP (it is unusual, but legal for a DNS server to be contacted via tcp instead of UDP). I've seen some similar traffic myself from a pair of DNS servers directed at the local DNS server here.. the TCP syn packets contain several bytes of data which are all 00's. It is strange (AFAIK it is not legal to send data with a syn packet.. you haven't negotiated a connection yet), but it appears to be an artifact of a buggy tcp/ip implementation.. Or who knows, it may be an artifact of some obscure, buggy worm or scanning tool that looks at DNS servers and uses raw sockets instead of the local TCP/IP stack. Even if it is from some obscure hacking tool, the syn packets themselves appear harmless. At 07:39 AM 1/14/2002 +0100, you wrote:Hi! I get a lot of 01/14-02:24:17.089098 [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet [**] [Classification: Misc activity] [Priority: 3] {TCP} 207.46.106.84:29291 -> 172.40.20.235:53 172.40.20.235 is my DNS server, but why would clients put data in the syn packets? According to RIPE, the source address is "ALLOCATED UNSPECIFIED", so I can't find out who's doing this. It comes from a limited number of addresses, they all seem to be 207.xx.xxx.xxx.
-- Laurie _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Chris Keladis (Jan 13)
- Re: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Dewey Paciaffi (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Martin Roesch (Jan 14)
- Re: BAD TRAFFIC data in TCP SYN packet Laurie Zirkle (Jan 15)
- <Possible follow-ups>
- Re: BAD TRAFFIC data in TCP SYN packet Tudor Panaitescu (Jan 14)
- SV: BAD TRAFFIC data in TCP SYN packet Lars Jørgensen IT (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 14)
- Re: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 14)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Austad, Jay (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Matt Kettler (Jan 15)
- RE: SV: BAD TRAFFIC data in TCP SYN packet Dan Hollis (Jan 15)