I have a user trying to connect to an IRC server (yeah, I know, but it is
not against policy), and I am seeing some weird ident (port 113) traffic
coming back.
First off, Snort goes ape when it sees them,
Apr 19 12:08:29 blossom snort: spp_portscan: PORTSCAN DETECTED from 206.101.197.250 (STEALTH)
Apr 19 12:08:29 blossom snort: Possible Queso Fingerprint attempt: 206.101.197.250:2098 -> AAA.BBB.CCC.142:113
Apr 19 12:08:32 blossom snort: spp_portscan: portscan status from 206.101.197.250: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 19 12:08:38 blossom snort: spp_portscan: End of portscan from 206.101.197.250: TOTAL time(0s) hosts(1) TCP(1) UDP(0) STEALTH
These are being triggered by the fact the 'reserved-' or ECN-bits in the
TCP flags are flipped on. But it gets better, here is a tcpdump of one
of the packets,
11:44:23.626678 206.101.197.250.2051 > AAA.BBB.CCC.142.113: SWE [tcp sum ok] 4007695090:4007695090(0) win 5840 <mss 1460,sackOK,timestamp 107492410 0,nop,wscale 0> (DF) (ttl 54, id 0)
0000: 4500 003c 0000 4000 3606 e874 ce65 c5fa E..<..@.6..t.e..
0010: AABB CC8e 0803 0071 eee0 92f2 0000 0000 .......q........
0020: a0c2 16d0 0f46 0000 0204 05b4 0402 080a .....F..........
0030: 0668 343a 0000 0000 0103 0300 .h4:........
First off, this is not real ECN since the all of the TOS-bits (byte 0x01)
are zero. Since it is not real ECN and the CWR and ECN-Echo are set (byte
0x21), it does look like some type of fingerprint attempt to me. The next
very interesting thing is the IP ID (bytes 0x04 and 0x05) is zero. It is
unlikely, but legal... accept EVERY ONE of these scans to port 113 has IP
ID = 0. Even when the source port changes, the IP ID is still 0. In addition
to the fact the source port changes, the initial sequence number _does_
change with it. Also, the TCP timestamp value is changing as one might expect,
about 10000 ticks/second.
So what is puzzling me is the odd mix of normal TCP behavior (changing
source port, changing sequence number, changing TCP timestamp) mixed with
crafted packet signatures ("reserved-bits" set, unchanging IP ID = 0).
Does anyone recognize this signature? I know Snort says Queso, but that
does not make sense to me in this circumstance.
Oh, and just to save you all a few keystrokes,
;; ANSWER SECTION:
250.197.101.206.in-addr.arpa. 22h38m50s IN PTR MX.UNITEDNETWORK.NET.
;; AUTHORITY SECTION:
197.101.206.in-addr.arpa. 22h38m50s IN NS NS.SKYINET.NET.
And,
;; ANSWER SECTION:
irc.skyinet.net. 21h54m54s IN CNAME BURRITOS.skyinet.net.
BURRITOS.skyinet.net. 21h54m54s IN A 206.101.197.250
;; AUTHORITY SECTION:
skyinet.net. 1d18h49m7s IN NS NS2.skyinet.net.
skyinet.net. 1d18h49m7s IN NS NS.skyinet.net.
Plus,
CENTRAL CATV (NETBLK-CW-206-101-197)
G/F BENPRES BUILDING EXCHANGE ROAD
PASIG CITY,1600,
PH
Netname: CW-206-101-197
Netblock: 206.101.197.0 - 206.101.197.255
Maintainer: CATV
Coordinator:
Dimayuga, Miguel (MD911-ARIN) miguelat_private
+1-404-522-5400 +63 2 635-5601 ext. 5250 (FAX) +1-404-522-1939
Record last updated on 09-May-2000.
Database last updated on 18-Apr-2001 22:35:51 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Philippines?
--
Crist J. Clark Network Security Engineer
crist.clarkat_private Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmasterat_private
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 09:46:06 PDT