I got several nmap tcp ping events from one of my snort sensors the other day. As I started digging into it the traffic starts to look more and more strange. I wanted to bounce it off the list and see if anyone else had seen anything similar or could (in)validate my thoughts on this. Here goes. I got 20 of these (abbreviated ACID output) from 5 different addresses: ====== [2001-08-02 11:43:58]IDS28/scan_probe-nmap_tcp_ping IPv4: attacker.com -> fw.my.org hlen=5 TOS=0 dlen=40 ID=59958 flags=0 offset=0 TTL=55 chksum=45800 TCP: port=80 -> dport: 51723 flags=***A**** seq=193 ack=0 off=5 res=0 win=1024 urp=0 chksum=64006 Payload: none ====== I concluded that these are not normal traffic because: 1.. The ack bit is set but the ack number is 0, which makes no sense. 2.. the sequence number of all the packets is less than 1000. For a 32 bit field this is just too coincidental. 3.. The windows size of 1024 also looks suspicious to me. So they look like crafted packets. I pull out nmap 2.54 Beta 6 and run an ACK scan. The sequence numbers and ACK are reasonable numbers. So either this is an old version of nmap or it's not nmap or it's generated using some other option from nmap. According to the nmap man page ACK scans can be used for a few different things. 1.. Determine if a host exists. I don't think this is the purpose because so many of them are going to the same machine. He only needs one or maybe 2 packets to determine this. 2.. Determine whether or not a host is behind a stateful firewall. A stateful firewall will drop the packet, a non-stateful will pass it b/c of the presence of the ACK bit and you should get a RST from the remote host. Some things that are funny: 1.. The TTLs are all between 53 - 56 for all packets. I would expect them to differ more than that, being from different subnets. From this I conclude all the source addresses except 1 are spoofed. 2.. I did a traceroute to try and find out which of the networks would come up with a TTL close to 53. Every single source address is around 10-15 hops away from me and they are all behind firewalls that rewrite the TTL just before the destination. HUNH?!? This throws a kink in everything else I've concluded. Either someone REALLY did their homework before scanning me or there's something here I'm not seeing. 3.. Mixed in with the rest was this one packet: ====== [2001-08-02 16:04:29]IDS28/scan_probe-nmap_tcp_ping IPv4: attacker.com -> fw.my.org hlen=5 TOS=0 dlen=40 ID=7842 flags=0 offset=0 TTL=52 chksum=41042 TCP: port=80 -> dport: 53 flags=***A**** seq=55 ack=0 off=5 res=0 win=1024 urp=0 chksum=58172 Payload: none ====== Aha! A scan to port 53. There is one packet to 51723 from this address and one to 53 from this address. Now I REALLY think the rest are spoofed and this one address is my attacker. TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 15:45:11 PDT