> No other bright idea's, now. Since it seems that also routeable address
> (unlike the first one) are involved, I arranged a simple honeypot, but
> until now only 126.123.252.5 still try to connect.

IP address | src port
-----------------------
198.68.128.8 29301
205.251.214.254 38039
211.170.36.114 7325
217.208.230.223 33798
219.165.104.24 38039
62.110.19.3 6174
64.146.4.132 38039
64.219.62.94 38039
81.48.67.20 1025

A dozen routable ip address apparently contacted my honeypot but none of
them ACKed o RSTed my SYN/ACK (no response at all). I arranged a real time
scanner to do a couple of probes on the source ip address in order to test
if the host is up and running right when the SYN arrives (so I can find if
the ip address was spoofed) and what operating system is running. Maybe
the SYN/ACK is like a cookie forged by some backdoor: if the header fields
aren't the expected ones or the payload is empty (like it should be) and
doesn't contain some expected data, the client part drops the packets. Maybe
the "attacker" checks that the src ip is down before to use it to spoof the
source of the packet (why?). Maybe the SYN/ACKs or the RSTs are enough for
the attacker's purposes.

I contacted some of the abuse desks of the originating networks. No reply
for now.

Below there's a [useless] snort trace of one connection attempt.

Fabio Panigatti

----------------------------------------------------------------------
06/06-16:50:11.764906 217.208.230.223:33798 -> <mioip>:41240
TCP TTL:107 TOS:0x38 ID:58793 IpLen:20 DgmLen:52
******S* Seq: 0x980D2856 Ack: 0x0 Win: 0xDA00 TcpLen: 32
TCP Options (6) => MSS: 1402 NOP WS: 2 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:50:11.765568 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:50:15.762590 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:50:21.762609 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:50:33.962555 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:50:57.962580 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/06-16:51:46.162567 <mioip>:41240 -> 217.208.230.223:33798
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0x6DB52C74 Ack: 0x980D2857 Win: 0x16D0 TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 0
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

------------------------------------------------------------------------
----
------------------------------------------------------------------------
----

[ reply ]