Re: New DNS connection with SYN ACK

From: RainbowHat (junk@blackhole-1.iana.org)
Date: Tue Jan 15 2002 - 11:02:02 PST

  • Next message: Markus Stumpf: "Re: Matt Wright FormMail Attacks"

    Hi Mike and everyone,
    
    First, I bet it's a "global load balancers" and agreed what
    Dan Hawrylkiw was saying on another sub-thread.
    
    Cloppert, Michael said:
    >Could it be that you've been been decoy addresses in a portscan?
    >
    >For instance, hacker (H) wants to attack A.  Hacker finds B and C that are
    >legit, so hacker sends a portscan from H, B, and C to A.  The effect of this
    >is that the analyst at A doesn't know which is the real portscanner (or in
    >this case scanner for port 53).  What B and C see are the responses of the
    >initial SYN sent to A, since A will be responding to both H, B, and C
    >thinking that they're legit TCP initiation requests.
    
    But A didn't send SYN packets to H, B and C. A received SYN-ACK
    packets isn't legit. First poster Jerry Perser found his firewall 
    dropped this strange SYN-ACK packets.
    
    >HTH.  Anyone else have any ideas?
    
    Yes, I have ideas. I think it depend on how many skills have 
    between analyst vs. prober.
    
    [Case1 analyst > prober]
    Passive:
    Analyst can check passive fingerprint using logs. If TTL are 
    same, there are decoy. If WINDOW size, DF flag and other TCP/
    IP parameters are same, it's strange.
    Active:
    They ping (or traceroute) to H, B, C. They compare the hops
    (TTL) with logs. B, C are different and H is nearly equal. They 
    know H is real prober and B, C is decoy. WINDOW size, DF flag 
    and other TCP/IP parameters are as well. They can portscan to 
    H, B, C. So an analyst become a prober. Analyst at B, C will 
    find scan and re-scan. There are nesting (recursive)...
    
    [Case2 analyst < prober]
    Prober know OS version type of B, C. This is difficult they 
    know how many hops B to A and C to A usually. They need to know 
    Internet topology map. They have craft to make mimic packets 
    like B, C.
    
    -- 
    Greetings and sorry poor English,
    RainbowHat. I support FULL DISCLOSURE.
    I use the terms "prober", "attacker" and "intruder". Because 
    a hacker said I'm just developing Linux|*BSD 20 hours per day. 
    A hacker in the Hollywood movie said I'm just acting the 
    scenario! A cracker said I'm researching de-cryptography. 
    A script kiddies said i h4v3 n07 5ki11. i w4n4633 4 31337.
    ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 14:12:58 PST