Ideas? Port 21 SYNs, slow

From: Bubsy (pizzapoweredat_private)
Date: Wed Jul 10 2002 - 19:41:08 PDT

  • Next message: Graham, Randy (RAW) : "RE: Code Red and other anomalous activity from 1433"

    
     ('binary' encoding is not supported, stored as-is)
         I would like to pick your collective brains 
    regarding what I believe is an attack of some form, 
    even if it is very slow. I noticed a day and a half 
    worth of continuous port 21 SYNs. Because there were 
    never any completed connections, this would not show up 
    in the FTP logs, but I watch all traffic, maybe I need 
    a life :) . I noticed an unusual amount of FTP port 
    SYNs that I was acknowledging, which were being 
    ignored. One or more SYNs would come in at about the 
    same time, to which I would respond with three 
    acknowledgements per SYN and then quit. Many of these 
    incoming SYNs had the same checksum. Strange, maybe 
    forgery?
    
    65.222.227.193 was the IP of the first FTP SYN 
    attempts, I portscanned that IP and found a webserver 
    (reverse DNS to deadarab.com) which was selling 
    anti-Osama goodies and other things. I also found 
    PcAnywhere, LDAP and many other things, and the FTP 
    SYNs continued. I later rescanned the same IP and found 
    that the services were taken down. No conceivable valid 
    WHOIS contact info, no surprise. More strangeness.
    
    I said to myself "Hey me, is this a DDos or is this 
    meant for me?"? I assumed this was intended for me 
    because of the disappearing services on the initial 
    offending IP. I blocked 65.222.227.* and watched. Then 
    came SYNs from 65.222.225.3. I allowed a few to be 
    acknowledged and dumped them to compare to the first 
    ones.
    
    
    From 65.222.227.193
    
    
    0x0000   00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 
    08   ...p..Z....E.
    0x0010   00 28 A1 CE 00 00 F3 06-3D D3 41 DE E3 C1 C0 
    A8   .(...=A
    0x0020   01 DE 27 3B 00 15 17 A0-00 00 00 00 00 00 50 
    02   .';.........P.
    0x0030   FF FF 88 CC 00 00 88 88-88 88 88 88 88 88 88 
    88   ..
    
    new one from 65.222.225.3
    
    0x0000   00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 
    08   ...p..Z....E.
    0x0010   00 28 CA 6B 00 00 F3 06-17 F4 41 DE E1 03 C0 
    A8   .(k....A.
    0x0020   01 DE 48 00 00 15 03 92-00 00 00 00 00 00 50 
    02   .H..........P.
    0x0030   FF FF 7E D3 00 00 88 88-88 88 88 88 88 88 88 
    88   ~..
    
    
    
    Hmm. Oh yes I am 127.0.0.1 :) of course. Now with 
    65.222.225.* blocked, I decided to WHOIS them, and I 
    got the idea that some admin or network guy had too 
    much time on his (or her, I'm not sexist) hands.
    
    ipw: Query: !NETBLK-UU-65-222-224
    DIOS / Maryland Online Network (NETBLK-UU-65-222-224)
       3234 Eastern Avenue
       Baltimore, MD 21224
       US
    
       Netname: UU-65-222-224
       Netblock: 65.222.224.0 - 65.222.239.255
       Maintainer: DIOS
    
       Coordinator:
          Kluver, Robert  (RK933-ARIN)  adminat_private
          410-558-0320
    
    
    In the next hour, similar stuff came from these IPs.
    
    65.222.225.3
    65.222.224.2
    65.207.91.38
    65.222.227.1
    65.222.227.58
    65.222.227.193
    65.222.227.255   (yeah, nice IP there) and
    212.169.100.130
    
    The two odd ones come to:
    
    ipw: Query: net 65.207.91.38
    UUNET Technologies, Inc. (NETBLK-UUNET65)
       3060 Williams Drive, Suite 601
       Fairfax, VA 22031
       US
    
       Netname: UUNET65
       Netblock: 65.192.0.0 - 65.223.255.255
       Maintainer: UU
    
    and
    
    ipw: Query: 212.169.100.130
    inetnum:      212.169.100.0 - 212.169.100.255
    netname:      NO-NETCOM-CUST-NEXTFRAME
    descr:        Customer Net for Nextframe AS
    country:      NO
    admin-c:      MH20735-RIPE
    tech-c:       NGH3-RIPE
    status:       ASSIGNED PA
    
    
    which rev. DNSs to cursed.darkisp.net, which has a 
    website which looks to me like a typical shell etc. 
    machine, which makes sense if the guy (or gal) has a 
    shell and wanted to see if I blocked his nets. The last 
    set of whatever this was came as a group attempt, which 
    I logged in an attempt to spot a pattern. I'm including 
    an excerpt from my log to see if anyone has any ideas 
    on what this might be. If anyone has any ideas, I would 
    be curious to hear them. Whatever this is appears to be 
    designed to defeat traditional logs by not actually 
    completing a connection, and by being slow enough as to 
    not establish a tangible pattern. I also assume that 
    the packets were not redirected, because shortly after 
    I would block one IP, a new IP would start in, makes 
    sense if the recipient saw the acks stop. I included 
    the tail end of the log, all "attacks" ended at the 
    endtime of my log. Thanks for your ideas people!
    
    #Fields: date time action protocol src-ip dst-ip 
    src-port dst-port size tcpflags tcpsyn tcpack tcpwin 
    icmptype icmpcode info
    
    
    2002-07-09 14:34:43 DROP TCP 127.0.0.1 65.222.225.3 21 
    4180 40 A 4110057646 381616129 16616 - - -
    2002-07-09 14:36:23 DROP TCP 127.0.0.1 65.222.224.2 21 
    20236 40 A 4134902085 3394306049 16616 - - -
    2002-07-09 14:37:16 DROP TCP 127.0.0.1 65.222.225.3 21 
    41990 40 A 4148384846 2762276865 16616 - - -
    2002-07-09 14:39:49 DROP TCP 127.0.0.1 65.222.225.3 21 
    65232 40 A 4186694867 1689255937 16616 - - -
    2002-07-09 14:42:23 DROP TCP 127.0.0.1 65.222.225.3 21 
    5443 40 A 4225090877 2587623425 16616 - - -
    2002-07-09 14:44:56 DROP TCP 127.0.0.1 65.222.225.3 21 
    20112 40 A 4263412809 56098817 16616 - - -
    2002-07-09 14:47:29 DROP TCP 127.0.0.1 65.222.225.3 21 
    57345 40 A 6764770 2667642881 16616 - - -
    2002-07-09 15:07:56 DROP TCP 127.0.0.1 65.222.225.3 21 
    59280 40 A 313933308 2912026625 16616 - - -
    2002-07-09 15:10:30 DROP TCP 127.0.0.1 65.222.225.3 21 
    11686 40 A 352234325 1913913345 16616 - - -
    2002-07-09 15:14:16 DROP TCP 127.0.0.1 65.222.225.3 21 
    3327 40 A 408857607 3624730625 16616 - - -
    2002-07-09 15:14:45 DROP TCP 127.0.0.1 65.207.91.38 21 
    65376 40 A 416115621 619642881 16616 - - -
    2002-07-09 15:18:06 DROP TCP 127.0.0.1 65.222.225.3 21 
    26290 40 A 466441213 2279211009 16616 - - -
    2002-07-09 15:23:49 DROP TCP 127.0.0.1 65.222.227.1 21 
    4956 40 A 552137575 1170931713 16616 - - -
    2002-07-09 15:24:29 DROP TCP 127.0.0.1 65.222.227.58 21 
    16132 40 A 562152023 2356543489 16616 - - -
    2002-07-09 15:25:28 DROP TCP 127.0.0.1 65.222.227.193 
    21 34760 40 A 576941514 3932422145 16616 - - -
    2002-07-09 15:27:39 DROP TCP 127.0.0.1 65.222.227.1 21 
    25326 40 A 609659434 4036886529 16616 - - -
    2002-07-09 15:28:19 DROP TCP 127.0.0.1 65.222.227.58 21 
    64399 40 A 619689148 4258922497 16616 - - -
    2002-07-09 15:29:18 DROP TCP 127.0.0.1 65.222.227.193 
    21 50111 40 A 634455459 2386165761 16616 - - -
    2002-07-09 15:31:29 DROP TCP 127.0.0.1 65.222.227.1 21 
    26659 40 A 667182451 804323329 16616 - - -
    2002-07-09 15:32:09 DROP TCP 127.0.0.1 65.222.227.58 21 
    60889 40 A 677316192 4153802753 16616 - - -
    2002-07-09 15:33:07 DROP TCP 127.0.0.1 65.222.227.193 
    21 25896 40 A 691866866 3945267201 16616 - - -
    2002-07-09 15:35:19 DROP TCP 127.0.0.1 65.222.227.1 21 
    8308 40 A 724771123 1846280193 16616 - - -
    2002-07-09 15:35:59 DROP TCP 127.0.0.1 65.222.227.58 21 
    11133 40 A 734953939 2234843137 16616 - - -
    2002-07-09 15:36:57 DROP TCP 127.0.0.1 65.222.227.193 
    21 59740 40 A 749290458 75169793 16616 - - -
    2002-07-09 15:39:08 DROP TCP 127.0.0.1 65.222.227.1 21 
    48063 40 A 782099076 732954625 16616 - - -
    2002-07-09 15:39:49 DROP TCP 127.0.0.1 65.222.227.58 21 
    36191 40 A 792386019 2452226049 16616 - - -
    2002-07-09 15:40:46 DROP TCP 127.0.0.1 65.222.227.193 
    21 55307 40 A 806776048 3227779073 16616 - - -
    2002-07-09 15:42:59 DROP TCP 127.0.0.1 65.222.227.1 21 
    40638 40 A 839891034 3176071169 16616 - - -
    2002-07-09 15:43:39 DROP TCP 127.0.0.1 65.222.227.58 21 
    1761 40 A 850012211 2602893313 16616 - - -
    2002-07-09 15:44:36 DROP TCP 127.0.0.1 65.222.227.193 
    21 19276 40 A 864273794 731185153 16616 - - -
    2002-07-09 15:47:24 DROP TCP 127.0.0.1 65.222.227.1 21 
    65154 40 A 906143613 659161089 16616 - - -
    2002-07-09 15:48:16 DROP TCP 127.0.0.1 65.222.227.58 21 
    5601 40 A 919156152 3022585857 16616 - - -
    2002-07-09 15:49:32 DROP TCP 127.0.0.1 65.222.227.193 
    21 37316 40 A 938220005 893845505 16616 - - -
    2002-07-09 15:50:38 DROP TCP 127.0.0.1 65.222.227.255 
    21 59731 40 A 954865216 3894345729 16616 - - -
    2002-07-09 15:52:31 DROP TCP 127.0.0.1 65.222.227.1 21 
    59503 40 A 983194631 2775973889 16616 - - -
    2002-07-09 15:53:20 DROP TCP 127.0.0.1 65.222.227.58 21 
    19743 40 A 995403697 896466945 16616 - - -
    2002-07-09 15:54:38 DROP TCP 127.0.0.1 65.222.227.193 
    21 16729 40 A 1014842293 3790274561 16616 - - -
    2002-07-09 15:55:44 DROP TCP 127.0.0.1 65.222.227.255 
    21 28979 40 A 1031448608 830930945 16616 - - -
    2002-07-09 15:57:38 DROP TCP 127.0.0.1 65.222.227.1 21 
    7554 40 A 1059961455 3073376257 16616 - - -
    2002-07-09 15:58:28 DROP TCP 127.0.0.1 65.222.227.58 21 
    10239 40 A 1072298522 1625358337 16616 - - -
    2002-07-09 15:59:44 DROP TCP 127.0.0.1 65.222.227.193 
    21 40606 40 A 1091370715 1573912577 16616 - - -
    2002-07-09 16:00:49 DROP TCP 127.0.0.1 65.222.227.255 
    21 24397 40 A 1107641688 2339176449 16616 - - -
    2002-07-09 16:02:46 DROP TCP 127.0.0.1 65.222.227.1 21 
    4631 40 A 1137074499 1547239425 16616 - - -
    2002-07-09 16:03:35 DROP TCP 127.0.0.1 65.222.227.58 21 
    24265 40 A 1149237606 2326331393 16616 - - -
    2002-07-09 16:04:50 DROP TCP 127.0.0.1 65.222.227.193 
    21 46334 40 A 1167975572 1481703425 16616 - - -
    2002-07-09 16:05:54 DROP TCP 127.0.0.1 65.222.227.255 
    21 43932 40 A 1184125492 2120286209 16616 - - -
    2002-07-09 16:07:54 DROP TCP 127.0.0.1 65.222.227.1 21 
    18067 40 A 1213983467 2356871169 16616 - - -
    2002-07-09 16:08:43 DROP TCP 127.0.0.1 65.222.227.58 21 
    25766 40 A 1226378215 3776249857 16616 - - -
    2002-07-09 16:09:54 DROP TCP 127.0.0.1 65.222.227.193 
    21 34759 40 A 1244087238 1134624769 16616 - - -
    2002-07-09 16:11:00 DROP TCP 127.0.0.1 65.222.227.255 
    21 32819 40 A 1260652350 1536950273 16616 - - -
    2002-07-09 16:12:59 DROP TCP 127.0.0.1 65.222.227.1 21 
    30896 40 A 1290440103 57933825 16616 - - -
    2002-07-09 16:13:50 DROP TCP 127.0.0.1 65.222.227.58 21 
    27243 40 A 1303242109 1163526145 16616 - - -
    2002-07-09 16:15:01 DROP TCP 127.0.0.1 65.222.227.193 
    21 4791 40 A 1321009627 51183617 16616 - - -
    2002-07-09 16:16:07 DROP TCP 127.0.0.1 65.222.227.255 
    21 16114 40 A 1337329759 1207566337 16616 - - -
    2002-07-09 16:18:05 DROP TCP 127.0.0.1 65.222.227.1 21 
    60937 40 A 1367027709 2753101825 16616 - - -
    2002-07-09 16:18:57 DROP TCP 127.0.0.1 65.222.227.58 21 
    7945 40 A 1379977654 1515520001 16616 - - -
    2002-07-09 16:20:08 DROP TCP 127.0.0.1 65.222.227.193 
    21 58487 40 A 1397713040 1683357697 16616 - - -
    2002-07-09 16:21:13 DROP TCP 127.0.0.1 65.222.227.255 
    21 7852 40 A 1414079077 1374027777 16616 - - -
    2002-07-09 16:23:13 DROP TCP 127.0.0.1 65.222.227.1 21 
    31829 40 A 1444010446 1832910849 16616 - - -
    2002-07-09 16:24:03 DROP TCP 127.0.0.1 65.222.227.58 21 
    42134 40 A 1456597809 2370043905 16616 - - -
    2002-07-09 16:25:15 DROP TCP 127.0.0.1 65.222.227.193 
    21 48191 40 A 1474677036 1793261569 16616 - - -
    2002-07-09 16:26:19 DROP TCP 127.0.0.1 65.222.227.255 
    21 18985 40 A 1490531613 4274192385 16616 - - -
    2002-07-09 16:28:20 DROP TCP 127.0.0.1 65.222.227.1 21 
    58435 40 A 1520806308 628293633 16616 - - -
    2002-07-09 16:29:09 DROP TCP 127.0.0.1 65.222.227.58 21 
    33063 40 A 1533094769 587792385 16616 - - -
    2002-07-09 16:30:22 DROP TCP 127.0.0.1 65.222.227.193 
    21 34872 40 A 1551511862 3294625793 16616 - - -
    2002-07-09 16:31:24 DROP TCP 127.0.0.1 65.222.227.255 
    21 55246 40 A 1566882639 2254635009 16616 - - -
    2002-07-09 16:33:26 DROP TCP 127.0.0.1 65.222.227.1 21 
    282 40 A 1597492247 2361720833 16616 - - -
    2002-07-09 16:34:15 DROP TCP 127.0.0.1 65.222.227.58 21 
    8368 40 A 1609821078 2197422081 16616 - - -
    2002-07-09 16:35:30 DROP TCP 127.0.0.1 65.222.227.193 
    21 22093 40 A 1628558895 2873360385 16616 - - -
    2002-07-09 16:36:29 DROP TCP 127.0.0.1 65.222.227.255 
    21 21506 40 A 1643280221 723320833 16616 - - -
    2002-07-09 16:38:32 DROP TCP 127.0.0.1 65.222.227.1 21 
    49495 40 A 1673999831 1337917441 16616 - - -
    2002-07-09 16:39:23 DROP TCP 127.0.0.1 65.222.227.58 21 
    2630 40 A 1686805847 2673868801 16616 - - -
    2002-07-09 16:40:38 DROP TCP 127.0.0.1 65.222.227.193 
    21 47099 40 A 1705561276 1971650561 16616 - - -
    2002-07-09 16:41:34 DROP TCP 127.0.0.1 65.222.227.255 
    21 12541 40 A 1719788892 3247374337 16616 - - -
    2002-07-09 16:43:39 DROP TCP 127.0.0.1 65.222.227.1 21 
    20892 40 A 1750849323 4029939713 16616 - - -
    2002-07-09 16:44:28 DROP TCP 127.0.0.1 65.222.227.58 21 
    56619 40 A 1763300043 62849025 16616 - - -
    2002-07-09 16:45:45 DROP TCP 127.0.0.1 65.222.227.193 
    21 53663 40 A 1782386724 3809280001 16616 - - -
    2002-07-09 16:46:40 DROP TCP 127.0.0.1 65.222.227.255 
    21 44093 40 A 1796280647 1961426945 16616 - - -
    2002-07-09 16:48:45 DROP TCP 127.0.0.1 65.222.227.1 21 
    43060 40 A 1827539914 3206152193 16616 - - -
    2002-07-09 16:49:35 DROP TCP 127.0.0.1 65.222.227.58 21 
    40576 40 A 1840015350 2806906881 16616 - - -
    2002-07-09 16:50:52 DROP TCP 127.0.0.1 65.222.227.193 
    21 38179 40 A 1859204304 2213150721 16616 - - -
    2002-07-09 16:51:46 DROP TCP 127.0.0.1 65.222.227.255 
    21 14921 40 A 1872870200 1129709569 16616 - - -
    2002-07-09 16:53:51 DROP TCP 127.0.0.1 65.222.227.1 21 
    31818 40 A 1904111567 1253048321 16616 - - -
    2002-07-09 16:54:42 DROP TCP 127.0.0.1 65.222.227.58 21 
    50804 40 A 1916875803 2446655489 16616 - - -
    2002-07-09 16:55:59 DROP TCP 127.0.0.1 65.222.227.193 
    21 331 40 A 1936045330 1610153985 16616 - - -
    2002-07-09 16:56:53 DROP TCP 127.0.0.1 65.222.227.255 
    21 22664 40 A 1949656360 1375797249 16616 - - -
    2002-07-09 16:58:58 DROP TCP 127.0.0.1 65.222.227.1 21 
    53434 40 A 1980967895 720175105 16616 - - -
    2002-07-09 16:59:48 DROP TCP 127.0.0.1 65.222.227.58 21 
    16960 40 A 1993475934 622592001 16616 - - -
    2002-07-09 17:01:06 DROP TCP 127.0.0.1 65.222.227.193 
    21 30064 40 A 2012899853 3771072513 16616 - - -
    2002-07-09 17:01:58 DROP TCP 127.0.0.1 65.222.227.255 
    21 14187 40 A 2025993664 1508900865 16616 - - -
    2002-07-09 17:04:05 DROP TCP 127.0.0.1 65.222.227.1 21 
    43269 40 A 2057678046 2351104001 16616 - - -
    2002-07-09 17:04:55 DROP TCP 127.0.0.1 65.222.227.58 21 
    62018 40 A 2070227715 157810689 16616 - - -
    2002-07-09 17:06:12 DROP TCP 127.0.0.1 65.222.227.193 
    21 60323 40 A 2089456089 2509635585 16616 - - -
    2002-07-09 17:07:04 DROP TCP 127.0.0.1 65.222.227.255 
    21 38491 40 A 2102571253 3855876097 16616 - - -
    2002-07-09 17:09:11 DROP TCP 127.0.0.1 65.222.227.1 21 
    6494 40 A 2134375022 3345350657 16616 - - -
    2002-07-09 17:10:02 DROP TCP 127.0.0.1 65.222.227.58 21 
    25453 40 A 2147059546 226361345 16616 - - -
    2002-07-09 17:11:18 DROP TCP 127.0.0.1 65.222.227.193 
    21 1746 40 A 2166074335 1824260097 16616 - - -
    2002-07-09 17:12:11 DROP TCP 127.0.0.1 65.222.227.255 
    21 11900 40 A 2179429687 2000224257 16616 - - -
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 14:35:07 PDT