Re: Traceroute network mapping, but spoofed source?

From: Valdis Kletnieks (Valdis.Kletnieksat_private)
Date: Thu Apr 12 2001 - 15:42:00 PDT

  • Next message: Jon O.: "Re: Yet another Linux bind worm ?"

    On Wed, 11 Apr 2001 15:43:11 EDT, Mike Worman <wormanat_private>  said:
    > Apr 11 12:33:10 211.33.122.158:33895 -> x.y.z.100:33444 UDP
    > Apr 11 12:33:14 211.33.122.158:33938 -> x.y.z.118:33444 UDP
    
    43 packets difference, and 4 seconds...
    
    > Apr 11 12:33:25 211.33.122.158:34038 -> x.y.z.22:33444 UDP
    
    59 - or 42 plus 17.  and 11 seconds..
    
    > Apr 11 12:33:27 211.33.122.158:34055 -> x.y.z.23:33444 UDP
    
    It hit z.22, and took 17 more packets to hit z.23.  Consistent with a
    distance of 17 hops. Notice only 2 seconds to do that traceroute.
    
    > Apr 11 12:33:31 211.33.122.158:34097 -> x.y.z.33:33444 UDP
    
    Took 42 packets here.  And 4 seconds clock time.  I'll place bets the
    other 2 seconds and 25 packets were a traceroute to a bum host that your
    IDS didn't see?  Let's summarize so far:
    
    43pack/4sec - 17/2 for the sucessfull trace, and 25/2 to a dead host.
    59/11 - 17/2, after a 17/2 to a host you didn't trace, and a 25/7 to a dead
    17/2 - 17/2 to a sucessfull host...
    42/4 - 17/2, after a 25/2 to a dead host...
    
    > Apr 11 12:33:39 211.33.122.158:34170 -> x.y.z.5:33444 UDP
    
    73/8.  17/2 for host z.5, another 25 for a dead host, and 2 traceroutes
    that got terminated after 16 hops because your router threw an ICMP
    Host Unreachable back.
    
    > Apr 11 12:33:48 211.33.122.158:34256 -> x.y.z.67:33444 UDP
    
    86. And burnt 9 seconds.  85 is 5 * 17, bet he poked at 4 other machines
    in between.
    
    Looks to me like traceroute to host after host, with a TTL of 25 on his
    packets, and your IDS isn't seeing every host the attacker is poking at..
    
    The fact he poked the addresses 100, 118, 18, 22, 23, 33, 5, 67 is
    interesting.  They're not sorted numerically, but by ascii collating.
    This sort of indicates to me that he managed a zone transfer of your
    DNS and is using that for his address list....
    
    
    --
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech
    
    
    
    
    
    
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 11:17:23 PDT