Recently A spate of "portscanning attacks" have been attibuted to various high traffic sites ond servers on the net. Here is an observation. Below is one of the "scanning packets". Specifically in this case the tcp part of the packet has been replaced in such a way that you might mistake it for a port scanning attack. It would certainly trip tcp filters. This particular packet began life as a ligitimate email packet in a stream between Apple's email server and the MIT email server. This one packet in the stream was munged. Specifically the entire tcp part of the packet has been replaced by 78 FF 02 14 repeated over and over again. The tcp header, everything. This made it look like wierd things were happening The sourceport is 30975 = hex 78ff The Dest port is 532 = hex 214 The Initial sequence number and Acknowledgment number = 2029978132 = 78ff0214 The flags is set to ff The Checksum = 78FF The Urgent pointer is 532 = hex 214 You will notice the repeated pattern 78 FF 02 14 (the packet fragment is attached.) We have determined that our equipment is not doing this and that it occurs to a few packets in almost any stream. The pattern repeated is not always 78ff0214. Because of filtering it was generating almost 65MB of log files daily. SO, here's the question. If you sniff packets and capture this type of activity could you send me a traceroute from your establisment to the system that is "apparently" "portscanning" you. The object here is to analyze the path over which this is occuring to try to narrow down where it is happening. Here is the traceroute for the path overwhich this particular packet traveled. 1 LL-HUB.LL.MIT.EDU (129.55.10.1) 3.515 ms 4.265 ms 2.523 ms 2 lincoln-gw.near.net (129.55.15.2) 5.312 ms 5.129 ms 5.776 ms 3 cambridge2-cr3.bbnplanet.net (199.95.64.177) 61.448 ms 106.771 ms 132.239 ms 4 cambridge2-br2.bbnplanet.net (192.233.33.6) 23.658 ms 60.333 ms 10 ms 5 cambridge1-br1.bbnplanet.net (4.0.1.201) 14.073 ms 7.509 ms 8.525 ms 6 core10-hssi-1.SanFrancisco.mci.net (204.70.10.221) 13.952 ms 11.017 ms 19.617 ms 7 bordercore2.WillowSprings.mci.net (166.48.22.1) 36.64 ms 32.246 ms 67.459 ms 8 core2.Dallas.mci.net (204.70.4.69) 51.571 ms 50.028 ms 59.195 ms 9 borderx1-fddi-1.Dallas.mci.net (204.70.114.52) 54.696 ms 56.805 ms 64.161 ms 10 diamond-net.Dallas.mci.net (204.70.114.106) 71.301 ms 67.505 ms 59.686 ms 11 APPLE-1.DllsTX.savvis.net (209.44.32.2) 316.68 ms 142.599 ms 250.019 ms 12 209.44.33.18 (209.44.33.18) 97.149 ms 90.555 ms 91.014 ms 13 tre.apple.com (205.180.175.29) 407.373 ms 337.825 ms 106.116 ms 14 mail-out2.apple.com (17.254.0.51) 107.062 ms * 101.546 ms The tcp part TCP: ----- TCP header ----- TCP: TCP: Source port = 30975 TCP: Destination port = 532 (Netnews) TCP: Initial sequence number = 2029978132 TCP: Acknowledgment number = 2029978132 TCP: Data offset = 28 bytes TCP: Flags = FF TCP: ..1. .... = Urgent pointer TCP: ...1 .... = Acknowledgment TCP: .... 1... = Push TCP: .... .1.. = Reset TCP: .... ..1. = SYN TCP: .... ...1 = FIN TCP: Window = 532 TCP: Checksum = 78FF, should be E635 TCP: Urgent pointer = 532 TCP: TCP: Options follow TCP: Unknown option 120 TCP: 7 byte(s) of header padding TCP: [504 byte(s) of data] TCP: ADDR HEX ASCII 0000 00 E0 14 7B 36 09 00 00 0C F8 17 49 08 00 45 00 ...{6......I..E. 0010 02 28 C2 35 00 00 2E 06 29 0B 11 FE 00 33 81 37 .(.5....)....3.7 0020 0C 28 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF .(x...x...x...x. 0030 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0040 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0050 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0060 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0070 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0080 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0090 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00A0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00B0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00C0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00D0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00E0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 00F0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0100 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0110 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0120 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0130 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0140 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0150 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0160 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0170 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0180 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0190 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01A0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01B0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01C0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01D0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01E0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 01F0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0200 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0210 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0220 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x. 0230 02 14 78 FF 02 14 ..x... lev@ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/_/_/ searchmaster@ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/ .com _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:32 PDT