Greetings, This is a somewhat lengthy post, so consider this a warning. There is also a question: Any idea which tool was used? This morning 06/12/01, at around 02:26, Snort detected a portscan for port 21. All in all, 82 packets from 3 different hosts: 41 from 64.31.26.240 (11 unique hosts) 21 from 64.40.70.66 (13 unique hosts) 20 from 64.183.112.195 (5 unique hosts) * wasn't caught by portscan preprocessor. Sample packets for those interested: 06/12-02:26:04.645533 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E 64.31.26.240:54688 -> MY.NET.165.15:21 TCP TTL:108 TOS:0x0 ID:62229 IpLen:20 DgmLen:48 DF ******S* Seq: 0x1D73AE11 Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-02:26:03.541607 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x4A 64.40.70.66:2660 -> MY.NET.165.55:21 TCP TTL:45 TOS:0x0 ID:25297 IpLen:20 DgmLen:60 DF ******S* Seq: 0xAE74A16 Ack: 0x0 Win: 0x2000 TcpLen: 40 TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1165073 0 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-02:26:04.687238 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C 64.183.112.195:3369 -> MY.NET.165.3:21 TCP TTL:107 TOS:0x0 ID:44205 IpLen:20 DgmLen:44 DF ******S* Seq: 0x33FBBD2 Ack: 0x0 Win: 0x2000 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Notice that the TCP Options are different. Also note that the TTL's are the same... Looks like different OS's. But I was considering crafted packets. My interest was piqued... Trying to figure out the real TTL to/from these hosts: 64.31.26.240 > 12.27.165.62: icmp: echo reply (ttl 236, id 104) TTL:108 from the scan 64.40.70.66 > 12.27.165.62: icmp: echo reply (ttl 236, id 17922) TTL:45 from the scan 64.183.112.195 > 12.27.165.62: icmp: echo reply (ttl 107, id 53169) TTL:107 from the scan So, the only source that matches the TTL that I got was 64.183.112.195. I also decided to nmap -O them just for the heck of it. Since one of the test nmap does involves sending TCP options, I was very interested to see the results... 64.31.26.240 Class=trivial time dependency. Looks like windows to me... T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) Only the MSS was set... Doesn't match the packet in the scan with MSS and Sack... Looks like this one was crafted... 64.40.70.66 Class=random positive increments. T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT) Matches the options in the scan packets.. 64.183.112.195 Class=random positive increments. T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) Matches the options in the scan packets.. So, based on the evidence: Only 1 TTL matches that of the packet in the scan, and that same packet matches the TCP options returned by nmap, lead me to believe that 64.183.112.195 is the originator of the scan, the other two hosts being decoys. More corraborating evidence: 64.183.112.195 only scanned 5 unique hosts and wasn't picked up by snort's portscan preprocessor. Maybe they were trying to stay under the radar... Did I overlook anything? Any ideas what tool can generate decoy packets with different options/TTLs, etc? Thanks -Gary- Gary Portnoy Network Administrator gportnoyat_private PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 19:00:38 PDT