Re: New DNS connection with SYN ACK

From: RainbowHat (junk@blackhole-1.iana.org)
Date: Tue Jan 15 2002 - 11:02:02 PST

Next message: Markus Stumpf: "Re: Matt Wright FormMail Attacks"

Previous message: Patrick Patterson: "Re: Trojans that use LDAP"
In reply to: Cloppert, Michael: "RE: New DNS connection with SYN ACK"
Next in thread: Keith T. Morgan: "RE: New DNS connection with SYN ACK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mike and everyone,

First, I bet it's a "global load balancers" and agreed what
Dan Hawrylkiw was saying on another sub-thread.

Cloppert, Michael said:
>Could it be that you've been been decoy addresses in a portscan?
>
>For instance, hacker (H) wants to attack A.  Hacker finds B and C that are
>legit, so hacker sends a portscan from H, B, and C to A.  The effect of this
>is that the analyst at A doesn't know which is the real portscanner (or in
>this case scanner for port 53).  What B and C see are the responses of the
>initial SYN sent to A, since A will be responding to both H, B, and C
>thinking that they're legit TCP initiation requests.

But A didn't send SYN packets to H, B and C. A received SYN-ACK
packets isn't legit. First poster Jerry Perser found his firewall 
dropped this strange SYN-ACK packets.

>HTH.  Anyone else have any ideas?

Yes, I have ideas. I think it depend on how many skills have 
between analyst vs. prober.

[Case1 analyst > prober]
Passive:
Analyst can check passive fingerprint using logs. If TTL are 
same, there are decoy. If WINDOW size, DF flag and other TCP/
IP parameters are same, it's strange.
Active:
They ping (or traceroute) to H, B, C. They compare the hops
(TTL) with logs. B, C are different and H is nearly equal. They 
know H is real prober and B, C is decoy. WINDOW size, DF flag 
and other TCP/IP parameters are as well. They can portscan to 
H, B, C. So an analyst become a prober. Analyst at B, C will 
find scan and re-scan. There are nesting (recursive)...

[Case2 analyst < prober]
Prober know OS version type of B, C. This is difficult they 
know how many hops B to A and C to A usually. They need to know 
Internet topology map. They have craft to make mimic packets 
like B, C.

-- 
Greetings and sorry poor English,
RainbowHat. I support FULL DISCLOSURE.
I use the terms "prober", "attacker" and "intruder". Because 
a hacker said I'm just developing Linux|*BSD 20 hours per day. 
A hacker in the Hollywood movie said I'm just acting the 
scenario! A cracker said I'm researching de-cryptography. 
A script kiddies said i h4v3 n07 5ki11. i w4n4633 4 31337.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Markus Stumpf: "Re: Matt Wright FormMail Attacks"
Previous message: Patrick Patterson: "Re: Trojans that use LDAP"
In reply to: Cloppert, Michael: "RE: New DNS connection with SYN ACK"
Next in thread: Keith T. Morgan: "RE: New DNS connection with SYN ACK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 14:12:58 PST