I began noticing this "random" packet activity during the last week of May,
and sent a note to CERT on 5/29. What I'm seeing is a one-to-one relationship
between most source IP/port and destination IP/port packets. However from a few
source IP's there is a one-to-many source-to-destination relationship. What is
interesting is the exact same packets (sent from a one-to-many source) also
show up from a one-to-one source. I.e, 151.11.190.23 and 133.220.162.119 are
one-to-one sources, and 24.118.114.71 is a one-to-many source:
Over the weekend of 5/31-6/1 I was seeing these packets from 660 unique
source addresses. This has slowly grown to 2200 source addresses this
past weekend (6/7-6/8).
All I'm capturing here are empty SYN packets -- sometimes, but rarely
followed by a RST:
On the surface it looks like a slowly spreading worm, but I haven't seen
anything from it besides a lot of TCP background noise..
Ken Eichman Senior Scientist
Chemical Abstracts Service IT Information Security
2540 Olentangy River Road 614-447-3600 ext. 3230
Columbus, OH 43210 keichman (at) cas (dot) org [email concealed]
> From incidents-return-5774-keichman=cas.org (at) securityfocus (dot) com [email concealed] Mon Jun 9 11:37:32 2003
> Subject: RE: Help with an odd log file...
> Date: Fri, 6 Jun 2003 10:55:25 -0500
> From: "Golden Faron P Contr HQ SSG/SWSN" <Faron.Golden (at) Gunter.AF (dot) mil [email concealed]>
> To: <sec_slave (at) hushmail (dot) com [email concealed]>, <intrusions (at) incidents (dot) org [email concealed]>,
> <incidents (at) securityfocus (dot) com [email concealed]>
>
> Based on observations here, the strange packets are showing up
> everywhere. Try running a capture that triggers on Window Size of 55808
> and see what you find...Have been seeing a steadily increasing flow of
> packets like the ones described below..Some interesting things are that
> once a random source sends a SYN packet from a random port to a random
> destination on a random host, the packet is repeated at irregular
> intervals. Same source port, same source host, same destination host,
> same destination port, same Sequence number, same window size...
>
> Still no explanation
>
>> -----Original Message-----
>> From: sec_slave (at) hushmail (dot) com [email concealed] [mailto:sec_slave (at) hushmail (dot) com [email concealed]]
>> Sent: Tuesday, June 03, 2003 4:04 PM
>> To: intrusions (at) incidents (dot) org [email concealed]; incidents (at) securityfocus (dot) com [email concealed]
>> Subject: Help with an odd log file...
>>
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello.
>>
>> I am looking for some assistance in trying to identify the nature of
>> a suspected scan/attack against my corporate network.
>>
>> The scan/attack includes spoofed source addresses that cover a wide
>> range
>> of IP networks. There is also a relationship between source and
>> destination addresses and ports for each entry. Each combination of
>> address and port information appears between 3 and 8 times, all trickled
>> in over a 3 day period. Normally, something like this might be
>> identified
>> as a TCP SYN SCAN, but the traffic is coming in too slowly and the
>> destination
>> ports are all upper level ports (as you can see).
>>
>> The pattern is one with which I am not familiar and would appreciate
>> your assistance in identifying.
>>
>> Thnx,
>>
>>
>> Sorted by source IP:
>>
>> Date/Time Source IP/Port Dest IP/Port
>> May 25 13:53:48 2.66.161.64:55518 XX6.X37.153.7:61323
>>
>> < snip. >
>>
>> Captured Frame Sample:
>>
>> < snip.>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 2.3
>>
>> wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA
>> oIDwlD0AxJojtPAhIdlunJmyAG1R
>> =US/J
>> -----END PGP SIGNATURE-----
and sent a note to CERT on 5/29. What I'm seeing is a one-to-one relationship
between most source IP/port and destination IP/port packets. However from a few
source IP's there is a one-to-many source-to-destination relationship. What is
interesting is the exact same packets (sent from a one-to-many source) also
show up from a one-to-one source. I.e, 151.11.190.23 and 133.220.162.119 are
one-to-one sources, and 24.118.114.71 is a one-to-many source:
Date Time TCP Seq# Source Address Port Target Address Port
05/29/2003 02:54:01 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 03:10:15 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 06:10:23 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 06:10:53 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 06:57:16 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 07:34:44 4E4CC713 24.118.114.71 25886 -> XXX.XX.1.251 24141
05/29/2003 07:46:45 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 09:44:14 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
05/29/2003 13:14:58 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141
Date Time TCP Seq# Source Address Port Target Address Port
05/29/2003 01:51:38 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 04:45:23 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 05:00:56 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 08:03:52 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 09:26:24 4AE14A35 24.118.114.71 24190 -> XXX.XX.101.195 29888
05/29/2003 09:38:56 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 11:05:52 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 11:43:30 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
05/29/2003 13:38:50 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888
Date Time TCP Seq# Source Address Port Target Address Port
05/29/2003 05:57:29 D5A3071E 24.118.114.71 2538 -> XXX.XX.114.255 49961
05/29/2003 06:03:25 41956321 24.118.114.71 20718 -> XXX.XX.109.63 4187
05/29/2003 06:03:53 5CFA533B 24.118.114.71 29026 -> XXX.XX.194.108 40519
05/29/2003 06:08:40 5A726357 24.118.114.71 60991 -> XXX.XX.247.55 56598
05/29/2003 06:15:57 F1E1FEAB 24.118.114.71 9997 -> XXX.XX.240.152 47417
05/29/2003 06:28:38 8ABCF738 24.118.114.71 20822 -> XXX.XX.129.210 16730
05/29/2003 06:29:49 97FB428B 24.118.114.71 28706 -> XXX.XX.121.129 9987
05/29/2003 06:30:22 43BD0FEB 24.118.114.71 4133 -> XXX.XX.205.32 28789
05/29/2003 06:30:35 B869A537 24.118.114.71 45387 -> XXX.XX.115.132 31733
05/29/2003 06:44:15 300E57D 24.118.114.71 44483 -> XXX.XX.82.132 11984
05/29/2003 07:03:42 DFD2ABFB 24.118.114.71 48202 -> XXX.XX.234.114 5076
05/29/2003 07:07:02 7A8CE2CC 24.118.114.71 25213 -> XXX.XX.25.27 60786
05/29/2003 07:09:44 F5CBEF9 24.118.114.71 8627 -> XXX.XX.201.206 5423
05/29/2003 07:13:09 15D1640 24.118.114.71 24543 -> XXX.XX.247.36 6853
05/29/2003 07:20:16 C4CA567D 24.118.114.71 23306 -> XXX.XX.60.208 39526
05/29/2003 07:27:17 38827CA8 24.118.114.71 2181 -> XXX.XX.10.48 35124
05/29/2003 07:34:44 4E4CC713 24.118.114.71 25886 -> XXX.XX.1.251 24141
05/29/2003 07:40:29 DCFD34AD 24.118.114.71 18589 -> XXX.XX.140.100 17423
05/29/2003 07:42:09 EDDC48AB 24.118.114.71 23431 -> XXX.XX.51.2 1561
05/29/2003 07:43:07 190779F8 24.118.114.71 40084 -> XXX.XX.93.87 41864
05/29/2003 07:47:22 5B81F638 24.118.114.71 2612 -> XXX.XX.83.253 44231
05/29/2003 07:50:45 356511C8 24.118.114.71 7851 -> XXX.XX.32.127 3696
05/29/2003 07:52:23 26DFBD4C 24.118.114.71 19327 -> XXX.XX.86.3 56459
05/29/2003 07:54:47 4A911F4E 24.118.114.71 43070 -> XXX.XX.194.161 12178
05/29/2003 08:00:21 65A86341 24.118.114.71 32001 -> XXX.XX.180.49 25795
05/29/2003 08:00:38 DE844A88 24.118.114.71 26637 -> XXX.XX.134.160 42131
05/29/2003 08:05:06 88D4A8D6 24.118.114.71 12839 -> XXX.XX.251.235 62720
05/29/2003 08:06:06 E126DEE7 24.118.114.71 48685 -> XXX.XX.116.222 22370
05/29/2003 08:27:05 3743AF56 24.118.114.71 53435 -> XXX.XX.2.35 60068
05/29/2003 08:33:25 105F811C 24.118.114.71 64651 -> XXX.XX.221.117 35672
05/29/2003 08:42:16 96DC2BDD 24.118.114.71 14954 -> XXX.XX.83.32 4960
05/29/2003 08:45:04 456DD9B 24.118.114.71 54565 -> XXX.XX.104.62 13647
05/29/2003 08:46:34 116F092B 24.118.114.71 21331 -> XXX.XX.90.82 58567
05/29/2003 08:48:34 F1B17406 24.118.114.71 54592 -> XXX.XX.146.197 59874
05/29/2003 08:48:55 33B6C200 24.118.114.71 50594 -> XXX.XX.47.13 41173
05/29/2003 08:50:46 663F481C 24.118.114.71 45481 -> XXX.XX.119.84 62644
05/29/2003 08:55:06 79557574 24.118.114.71 56763 -> XXX.XX.3.137 46403
05/29/2003 08:58:14 2A2E0F 24.118.114.71 1487 -> XXX.XX.212.19 60113
05/29/2003 09:10:01 CA20FA3 24.118.114.71 56489 -> XXX.XX.95.205 34095
05/29/2003 09:10:34 CEC1EE6C 24.118.114.71 33815 -> XXX.XX.64.38 38416
05/29/2003 09:11:45 C866877F 24.118.114.71 19616 -> XXX.XX.185.95 46190
05/29/2003 09:17:00 1DD996BD 24.118.114.71 17281 -> XXX.XX.169.40 9518
05/29/2003 09:21:37 58F4C371 24.118.114.71 17322 -> XXX.XX.52.221 35834
05/29/2003 09:22:52 5843AA36 24.118.114.71 34719 -> XXX.XX.4.92 18034
05/29/2003 09:26:24 4AE14A35 24.118.114.71 24190 -> XXX.XX.101.195 29888
05/29/2003 09:32:53 B24A4779 24.118.114.71 54980 -> XXX.XX.224.35 49977
Over the weekend of 5/31-6/1 I was seeing these packets from 660 unique
source addresses. This has slowly grown to 2200 source addresses this
past weekend (6/7-6/8).
All I'm capturing here are empty SYN packets -- sometimes, but rarely
followed by a RST:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
06/07-20:32:09.679693 202.232.48.93:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52
******S* Seq: 0x202F0239 Ack: 0x0 Win: 0xDA00 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
06/08-09:59:20.304527 24.118.114.71:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52
******S* Seq: 0x202F0239 Ack: 0x0 Win: 0xDA00 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
06/08-09:59:25.782971 24.118.114.71:62081 -> XXX.XX.40.142:32433
TCP TTL:113 TOS:0x0 ID:59520 IpLen:20 DgmLen:40
*****R** Seq: 0x202F023A Ack: 0x202F023A Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
On the surface it looks like a slowly spreading worm, but I haven't seen
anything from it besides a lot of TCP background noise..
Ken Eichman Senior Scientist
Chemical Abstracts Service IT Information Security
2540 Olentangy River Road 614-447-3600 ext. 3230
Columbus, OH 43210 keichman (at) cas (dot) org [email concealed]
> From incidents-return-5774-keichman=cas.org (at) securityfocus (dot) com [email concealed] Mon Jun 9 11:37:32 2003
> Subject: RE: Help with an odd log file...
> Date: Fri, 6 Jun 2003 10:55:25 -0500
> From: "Golden Faron P Contr HQ SSG/SWSN" <Faron.Golden (at) Gunter.AF (dot) mil [email concealed]>
> To: <sec_slave (at) hushmail (dot) com [email concealed]>, <intrusions (at) incidents (dot) org [email concealed]>,
> <incidents (at) securityfocus (dot) com [email concealed]>
>
> Based on observations here, the strange packets are showing up
> everywhere. Try running a capture that triggers on Window Size of 55808
> and see what you find...Have been seeing a steadily increasing flow of
> packets like the ones described below..Some interesting things are that
> once a random source sends a SYN packet from a random port to a random
> destination on a random host, the packet is repeated at irregular
> intervals. Same source port, same source host, same destination host,
> same destination port, same Sequence number, same window size...
>
> Still no explanation
>
>> -----Original Message-----
>> From: sec_slave (at) hushmail (dot) com [email concealed] [mailto:sec_slave (at) hushmail (dot) com [email concealed]]
>> Sent: Tuesday, June 03, 2003 4:04 PM
>> To: intrusions (at) incidents (dot) org [email concealed]; incidents (at) securityfocus (dot) com [email concealed]
>> Subject: Help with an odd log file...
>>
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hello.
>>
>> I am looking for some assistance in trying to identify the nature of
>> a suspected scan/attack against my corporate network.
>>
>> The scan/attack includes spoofed source addresses that cover a wide
>> range
>> of IP networks. There is also a relationship between source and
>> destination addresses and ports for each entry. Each combination of
>> address and port information appears between 3 and 8 times, all trickled
>> in over a 3 day period. Normally, something like this might be
>> identified
>> as a TCP SYN SCAN, but the traffic is coming in too slowly and the
>> destination
>> ports are all upper level ports (as you can see).
>>
>> The pattern is one with which I am not familiar and would appreciate
>> your assistance in identifying.
>>
>> Thnx,
>>
>>
>> Sorted by source IP:
>>
>> Date/Time Source IP/Port Dest IP/Port
>> May 25 13:53:48 2.66.161.64:55518 XX6.X37.153.7:61323
>>
>> < snip. >
>>
>> Captured Frame Sample:
>>
>> < snip.>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Note: This signature can be verified at https://www.hushtools.com/verify
>> Version: Hush 2.3
>>
>> wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA
>> oIDwlD0AxJojtPAhIdlunJmyAG1R
>> =US/J
>> -----END PGP SIGNATURE-----
------------------------------------------------------------------------
----
------------------------------------------------------------------------
----
[ reply ]