Hi Mike and everyone, First, I bet it's a "global load balancers" and agreed what Dan Hawrylkiw was saying on another sub-thread. Cloppert, Michael said: >Could it be that you've been been decoy addresses in a portscan? > >For instance, hacker (H) wants to attack A. Hacker finds B and C that are >legit, so hacker sends a portscan from H, B, and C to A. The effect of this >is that the analyst at A doesn't know which is the real portscanner (or in >this case scanner for port 53). What B and C see are the responses of the >initial SYN sent to A, since A will be responding to both H, B, and C >thinking that they're legit TCP initiation requests. But A didn't send SYN packets to H, B and C. A received SYN-ACK packets isn't legit. First poster Jerry Perser found his firewall dropped this strange SYN-ACK packets. >HTH. Anyone else have any ideas? Yes, I have ideas. I think it depend on how many skills have between analyst vs. prober. [Case1 analyst > prober] Passive: Analyst can check passive fingerprint using logs. If TTL are same, there are decoy. If WINDOW size, DF flag and other TCP/ IP parameters are same, it's strange. Active: They ping (or traceroute) to H, B, C. They compare the hops (TTL) with logs. B, C are different and H is nearly equal. They know H is real prober and B, C is decoy. WINDOW size, DF flag and other TCP/IP parameters are as well. They can portscan to H, B, C. So an analyst become a prober. Analyst at B, C will find scan and re-scan. There are nesting (recursive)... [Case2 analyst < prober] Prober know OS version type of B, C. This is difficult they know how many hops B to A and C to A usually. They need to know Internet topology map. They have craft to make mimic packets like B, C. -- Greetings and sorry poor English, RainbowHat. I support FULL DISCLOSURE. I use the terms "prober", "attacker" and "intruder". Because a hacker said I'm just developing Linux|*BSD 20 hours per day. A hacker in the Hollywood movie said I'm just acting the scenario! A cracker said I'm researching de-cryptography. A script kiddies said i h4v3 n07 5ki11. i w4n4633 4 31337. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 14:12:58 PST