Incidents
Re: [Pinguzilla] Weird Traffic May 28 2008 09:16PM
Jonathan Adams (keirre adams gmail com) (1 replies)
Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router
messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only
got a few probes today... apparently the FW rules shut down most of
the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from 82.0.0.0/8 to any
07800 deny log ip from any to 82.0.0.0/8

yet the TCP dump shows this:

<pdml>
<packet>
<proto name="geninfo" longname="General information" pos="0" size="66">
<field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
size="66"/>
</proto>
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14">
<field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" />
</proto>
<proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" />
<field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" />
<field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" >
<field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." />
<field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." />
<field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." />
<field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
/>
</field>
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="82.252.59.156" />
<field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="66.36.246.198" />
</proto>
<proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" />
<field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
/>
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" />
<field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." />
<field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." />
<field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." />
<field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." />
<field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." />
<field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" />
</field>
<field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" >
<field name="mss" longname="Maximum Segment Size" size="4" pos="54" >
<field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" />
<field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="58" >
<field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" />
</field>
<field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" >
<field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" />
<field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="62" >
<field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="63" >
<field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" />
</field>
<field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" >
<field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" />
<field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />
</field>
</field>
</proto>
</packet></pdml>

On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams (at) gmail (dot) com [email concealed]> wrote:
> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john (at) duksta (dot) org [email concealed]> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're seeing this
>> traffic from. I work for a large managed security service provider and I
>> could cross reference these networks against data that we're seeing from our
>> corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but I do
>>> not have mod proxy turned on. I suspect my server is on some list. I
>>> firewalled off a large number of subnets from China and my traffic
>>> dropped for a few days, then this morning, 2735MB transferred in 24
>>> hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic, since
>>> thats where most of this is comming from, along with the occasional
>>> traffic from France and other places in Eur. Is this common? If so
>>> are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." -
>>> Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla (at) as220 (dot) org [email concealed]
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams (at) gmail (dot) com [email concealed]
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams (at) gmail (dot) com [email concealed]
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

[ reply ]
R: [Pinguzilla] Weird Traffic May 29 2008 08:47AM
Vega - Brunello Ivan (I Brunello vegaspa it)


 

Privacy Statement
Copyright 2010, SecurityFocus