Re: [Pinguzilla] Weird Traffic May 28 2008 09:16PM
Jonathan Adams (keirre adams gmail com) (1 replies)
R: [Pinguzilla] Weird Traffic May 29 2008 08:47AM
Vega - Brunello Ivan (I Brunello vegaspa it)
Definitely an outbound connection

value="52FC3B9C" showvalue="" /> <field name="dst" longname="Destination address" size="4" pos="30"

On most firewall I know, applying a rule does not interrupt an active session.
I'd first reset all sessions, and then recheck firewall rules are correctly applied.
Next, change firewall/filtering tecnology.

Ivan Brunello

-----Messaggio originale-----
Da: Jonathan Adams [mailto:keirre.adams (at) gmail (dot) com [email concealed]]
Inviato: mercoledì 28 maggio 2008 23.16
A: John Duksta
Cc: incidents (at) securityfocus (dot) com [email concealed]
Oggetto: Re: [Pinguzilla] Weird Traffic

Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only got a few probes today... apparently the FW rules shut down most of the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from to any 07800 deny log ip from any to

yet the TCP dump shows this:

<proto name="geninfo" longname="General information" pos="0" size="66"> <field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14"> <field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A (Unicast address, vendor code not available)" showmap="code not available" /> <field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC (Unicast address, vendor code not available)" showmap="code not available" /> <field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" /> </proto> <proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" /> <field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" /> <field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" > <field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." /> <field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." /> <field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." /> <field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="" /> <field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="" /> </proto> <proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" /> <field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" /> <field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." /> <field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." /> <field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." /> <field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." /> <field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." /> <field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" /> </field> <field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" > <field name="mss" longname="Maximum Segment Size" size="4" pos="54" > <field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" /> <field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" /> </field> <field name="noperation" longname="No Operation" size="1" pos="58" > <field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" /> </field> <field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" > <field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" /> <field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
<field name="noperation" longname="No Operation" size="1" pos="62" > <field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" /> </field> <field name="noperation" longname="No Operation" size="1" pos="63" > <field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" /> </field> <field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" > <field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" /> <field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />

On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams (at) gmail (dot) com [email concealed]> wrote:
> John,
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
> Im sure of it
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john (at) duksta (dot) org [email concealed]> wrote:
>> Jonathan,
>> I'd be curious to get a copy of the list of networks that you're
>> seeing this traffic from. I work for a large managed security service
>> provider and I could cross reference these networks against data that
>> we're seeing from our corporate customers.
>> Regards,
>> -john
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>> All,
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but I
>>> do not have mod proxy turned on. I suspect my server is on some
>>> list. I firewalled off a large number of subnets from China and my
>>> traffic dropped for a few days, then this morning, 2735MB
>>> transferred in 24 hrs.
>>> As of right now, I am planning to blackhole all China traffic,
>>> since thats where most of this is comming from, along with the
>>> occasional traffic from France and other places in Eur. Is this
>>> common? If so are there any other remedies?
>>> --
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." - Mohandas Gandhi
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla (at) as220 (dot) org [email concealed]
> --
> ___________________________
> Jon Adams
> web:
> mail: keirre.adams (at) gmail (dot) com [email concealed]
> ---------------------------------------------
> "Strength does not come from physical capacity. It comes from an
> indomitable will." - Mohandas Gandhi

Jon Adams

mail: keirre.adams (at) gmail (dot) com [email concealed]

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus