On Thu, Jul 11, 2002 at 06:15:17PM -0400, Jason Giglio wrote: > You are probably seeing backscatter from a DDoS attack. Someone is probably spoofing your address as the source of the attack, among a lot of others. That also explains why the server went down eventually. Also the controversial political nature of the site would make it a target of attack. > Just my guess. Bad guess. Wrong answer. Unless the data he's supplying is bogus. He is reporting port 21 SYNs. Now, unless they are SYN-ACKs, there is no way on God's green earth for them to be backscatter. Why? Because there is no TCP request packet that RESULTS in a SYN packet. A SYN-ACK, yes. A SYN, no. Backscatter, by definition, are response packets. SYN packets can not be response packets. Therefore SYN packets can not be backscatter. For the record... The "darkside" / "blackhole" network I monitor has received sporatic bursts of both FTP SYN (not SYN ACK) and FTP FIN (which is probably stealth scanning) from several sites over the last few days. Several are in Korea (over half). Some are not. I do monitor for backscatter and, IMNSHO, have some pretty good filters for discriminating between what is backscatter and what is direct scanning (it's not that difficult). Backscatter is running pretty low (from my view port) at the moment compared to flat out port scanning. BTW... As several of us have noted in the past, some "slow" scans are, if you were at the source, "balls to the wall", "scan the planet", scans with the address ordering arranged to minimize the hits per day a (small) end network experiences. We've seen several scans in which the scanner is running as fast as possible but is incrementing through the address space in "octel reversed order" so someone on a /24 only sees an occasional hit while someone like me and others I colaborate with see faster hits on our /16 but the next higher byte increments faster. Correlating with some of my "numerical neighbors", it's rapidly obvious that the octet next up (the second octet) is incrementing even faster. I'm sure Dug Song and a few of the others with the high honor of access to the data from a fossile /8 can attest to even more interesting patterns of activity. Correlating that data with distributed sensor data where I work is consistent with scans where the bytes are increments in reverse order and what appears to be a slow scan is really an uncapped scan that is blazing away with all barrels a blazing. So, slow or fast is a rather relative term. :-) > On 11 Jul 2002 02:41:08 -0000 > Bubsy <pizzapoweredat_private> wrote: > > > > > > > I would like to pick your collective brains > > regarding what I believe is an attack of some form, > > even if it is very slow. I noticed a day and a half > > worth of continuous port 21 SYNs. Because there were > > never any completed connections, this would not show up > > in the FTP logs, but I watch all traffic, maybe I need > > a life :) . I noticed an unusual amount of FTP port > > SYNs that I was acknowledging, which were being > > ignored. One or more SYNs would come in at about the > > same time, to which I would respond with three > > acknowledgements per SYN and then quit. Many of these > > incoming SYNs had the same checksum. Strange, maybe > > forgery? > > > > 65.222.227.193 was the IP of the first FTP SYN > > attempts, I portscanned that IP and found a webserver > > (reverse DNS to deadarab.com) which was selling > > anti-Osama goodies and other things. I also found > > PcAnywhere, LDAP and many other things, and the FTP > > SYNs continued. I later rescanned the same IP and found > > that the services were taken down. No conceivable valid > > WHOIS contact info, no surprise. More strangeness. > > > > I said to myself "Hey me, is this a DDos or is this > > meant for me?"? I assumed this was intended for me > > because of the disappearing services on the initial > > offending IP. I blocked 65.222.227.* and watched. Then > > came SYNs from 65.222.225.3. I allowed a few to be > > acknowledged and dumped them to compare to the first > > ones. > > > > > > From 65.222.227.193 > > > > > > 0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 > > 08 ...p..Z....E. > > 0x0010 00 28 A1 CE 00 00 F3 06-3D D3 41 DE E3 C1 C0 > > A8 .(...=A? > > 0x0020 01 DE 27 3B 00 15 17 A0-00 00 00 00 00 00 50 > > 02 .';.........P. > > 0x0030 FF FF 88 CC 00 00 88 88-88 88 88 88 88 88 88 > > 88 .. > > > > new one from 65.222.225.3 > > > > 0x0000 00 10 DC 03 90 70 00 04-5A EE 19 15 08 00 45 > > 08 ...p..Z....E. > > 0x0010 00 28 CA 6B 00 00 F3 06-17 F4 41 DE E1 03 C0 > > A8 .(k....A.? > > 0x0020 01 DE 48 00 00 15 03 92-00 00 00 00 00 00 50 > > 02 .H..........P. > > 0x0030 FF FF 7E D3 00 00 88 88-88 88 88 88 88 88 88 > > 88 ~.. > > > > > > > > Hmm. Oh yes I am 127.0.0.1 :) of course. Now with > > 65.222.225.* blocked, I decided to WHOIS them, and I > > got the idea that some admin or network guy had too > > much time on his (or her, I'm not sexist) hands. > > > > ipw: Query: !NETBLK-UU-65-222-224 > > DIOS / Maryland Online Network (NETBLK-UU-65-222-224) > > 3234 Eastern Avenue > > Baltimore, MD 21224 > > US > > > > Netname: UU-65-222-224 > > Netblock: 65.222.224.0 - 65.222.239.255 > > Maintainer: DIOS > > > > Coordinator: > > Kluver, Robert (RK933-ARIN) adminat_private > > 410-558-0320 > > > > > > In the next hour, similar stuff came from these IPs. > > > > 65.222.225.3 > > 65.222.224.2 > > 65.207.91.38 > > 65.222.227.1 > > 65.222.227.58 > > 65.222.227.193 > > 65.222.227.255 (yeah, nice IP there) and > > 212.169.100.130 > > > > The two odd ones come to: > > > > ipw: Query: net 65.207.91.38 > > UUNET Technologies, Inc. (NETBLK-UUNET65) > > 3060 Williams Drive, Suite 601 > > Fairfax, VA 22031 > > US > > > > Netname: UUNET65 > > Netblock: 65.192.0.0 - 65.223.255.255 > > Maintainer: UU > > > > and > > > > ipw: Query: 212.169.100.130 > > inetnum: 212.169.100.0 - 212.169.100.255 > > netname: NO-NETCOM-CUST-NEXTFRAME > > descr: Customer Net for Nextframe AS > > country: NO > > admin-c: MH20735-RIPE > > tech-c: NGH3-RIPE > > status: ASSIGNED PA > > > > > > which rev. DNSs to cursed.darkisp.net, which has a > > website which looks to me like a typical shell etc. > > machine, which makes sense if the guy (or gal) has a > > shell and wanted to see if I blocked his nets. The last > > set of whatever this was came as a group attempt, which > > I logged in an attempt to spot a pattern. I'm including > > an excerpt from my log to see if anyone has any ideas > > on what this might be. If anyone has any ideas, I would > > be curious to hear them. Whatever this is appears to be > > designed to defeat traditional logs by not actually > > completing a connection, and by being slow enough as to > > not establish a tangible pattern. I also assume that > > the packets were not redirected, because shortly after > > I would block one IP, a new IP would start in, makes > > sense if the recipient saw the acks stop. I included > > the tail end of the log, all "attacks" ended at the > > endtime of my log. Thanks for your ideas people! > > > > #Fields: date time action protocol src-ip dst-ip > > src-port dst-port size tcpflags tcpsyn tcpack tcpwin > > icmptype icmpcode info > > > > > > 2002-07-09 14:34:43 DROP TCP 127.0.0.1 65.222.225.3 21 > > 4180 40 A 4110057646 381616129 16616 - - - > > 2002-07-09 14:36:23 DROP TCP 127.0.0.1 65.222.224.2 21 > > 20236 40 A 4134902085 3394306049 16616 - - - > > 2002-07-09 14:37:16 DROP TCP 127.0.0.1 65.222.225.3 21 > > 41990 40 A 4148384846 2762276865 16616 - - - > > 2002-07-09 14:39:49 DROP TCP 127.0.0.1 65.222.225.3 21 > > 65232 40 A 4186694867 1689255937 16616 - - - > > 2002-07-09 14:42:23 DROP TCP 127.0.0.1 65.222.225.3 21 > > 5443 40 A 4225090877 2587623425 16616 - - - > > 2002-07-09 14:44:56 DROP TCP 127.0.0.1 65.222.225.3 21 > > 20112 40 A 4263412809 56098817 16616 - - - > > 2002-07-09 14:47:29 DROP TCP 127.0.0.1 65.222.225.3 21 > > 57345 40 A 6764770 2667642881 16616 - - - > > 2002-07-09 15:07:56 DROP TCP 127.0.0.1 65.222.225.3 21 > > 59280 40 A 313933308 2912026625 16616 - - - > > 2002-07-09 15:10:30 DROP TCP 127.0.0.1 65.222.225.3 21 > > 11686 40 A 352234325 1913913345 16616 - - - > > 2002-07-09 15:14:16 DROP TCP 127.0.0.1 65.222.225.3 21 > > 3327 40 A 408857607 3624730625 16616 - - - > > 2002-07-09 15:14:45 DROP TCP 127.0.0.1 65.207.91.38 21 > > 65376 40 A 416115621 619642881 16616 - - - > > 2002-07-09 15:18:06 DROP TCP 127.0.0.1 65.222.225.3 21 > > 26290 40 A 466441213 2279211009 16616 - - - > > 2002-07-09 15:23:49 DROP TCP 127.0.0.1 65.222.227.1 21 > > 4956 40 A 552137575 1170931713 16616 - - - > > 2002-07-09 15:24:29 DROP TCP 127.0.0.1 65.222.227.58 21 > > 16132 40 A 562152023 2356543489 16616 - - - > > 2002-07-09 15:25:28 DROP TCP 127.0.0.1 65.222.227.193 > > 21 34760 40 A 576941514 3932422145 16616 - - - > > 2002-07-09 15:27:39 DROP TCP 127.0.0.1 65.222.227.1 21 > > 25326 40 A 609659434 4036886529 16616 - - - > > 2002-07-09 15:28:19 DROP TCP 127.0.0.1 65.222.227.58 21 > > 64399 40 A 619689148 4258922497 16616 - - - > > 2002-07-09 15:29:18 DROP TCP 127.0.0.1 65.222.227.193 > > 21 50111 40 A 634455459 2386165761 16616 - - - > > 2002-07-09 15:31:29 DROP TCP 127.0.0.1 65.222.227.1 21 > > 26659 40 A 667182451 804323329 16616 - - - > > 2002-07-09 15:32:09 DROP TCP 127.0.0.1 65.222.227.58 21 > > 60889 40 A 677316192 4153802753 16616 - - - > > 2002-07-09 15:33:07 DROP TCP 127.0.0.1 65.222.227.193 > > 21 25896 40 A 691866866 3945267201 16616 - - - > > 2002-07-09 15:35:19 DROP TCP 127.0.0.1 65.222.227.1 21 > > 8308 40 A 724771123 1846280193 16616 - - - > > 2002-07-09 15:35:59 DROP TCP 127.0.0.1 65.222.227.58 21 > > 11133 40 A 734953939 2234843137 16616 - - - > > 2002-07-09 15:36:57 DROP TCP 127.0.0.1 65.222.227.193 > > 21 59740 40 A 749290458 75169793 16616 - - - > > 2002-07-09 15:39:08 DROP TCP 127.0.0.1 65.222.227.1 21 > > 48063 40 A 782099076 732954625 16616 - - - > > 2002-07-09 15:39:49 DROP TCP 127.0.0.1 65.222.227.58 21 > > 36191 40 A 792386019 2452226049 16616 - - - > > 2002-07-09 15:40:46 DROP TCP 127.0.0.1 65.222.227.193 > > 21 55307 40 A 806776048 3227779073 16616 - - - > > 2002-07-09 15:42:59 DROP TCP 127.0.0.1 65.222.227.1 21 > > 40638 40 A 839891034 3176071169 16616 - - - > > 2002-07-09 15:43:39 DROP TCP 127.0.0.1 65.222.227.58 21 > > 1761 40 A 850012211 2602893313 16616 - - - > > 2002-07-09 15:44:36 DROP TCP 127.0.0.1 65.222.227.193 > > 21 19276 40 A 864273794 731185153 16616 - - - > > 2002-07-09 15:47:24 DROP TCP 127.0.0.1 65.222.227.1 21 > > 65154 40 A 906143613 659161089 16616 - - - > > 2002-07-09 15:48:16 DROP TCP 127.0.0.1 65.222.227.58 21 > > 5601 40 A 919156152 3022585857 16616 - - - > > 2002-07-09 15:49:32 DROP TCP 127.0.0.1 65.222.227.193 > > 21 37316 40 A 938220005 893845505 16616 - - - > > 2002-07-09 15:50:38 DROP TCP 127.0.0.1 65.222.227.255 > > 21 59731 40 A 954865216 3894345729 16616 - - - > > 2002-07-09 15:52:31 DROP TCP 127.0.0.1 65.222.227.1 21 > > 59503 40 A 983194631 2775973889 16616 - - - > > 2002-07-09 15:53:20 DROP TCP 127.0.0.1 65.222.227.58 21 > > 19743 40 A 995403697 896466945 16616 - - - > > 2002-07-09 15:54:38 DROP TCP 127.0.0.1 65.222.227.193 > > 21 16729 40 A 1014842293 3790274561 16616 - - - > > 2002-07-09 15:55:44 DROP TCP 127.0.0.1 65.222.227.255 > > 21 28979 40 A 1031448608 830930945 16616 - - - > > 2002-07-09 15:57:38 DROP TCP 127.0.0.1 65.222.227.1 21 > > 7554 40 A 1059961455 3073376257 16616 - - - > > 2002-07-09 15:58:28 DROP TCP 127.0.0.1 65.222.227.58 21 > > 10239 40 A 1072298522 1625358337 16616 - - - > > 2002-07-09 15:59:44 DROP TCP 127.0.0.1 65.222.227.193 > > 21 40606 40 A 1091370715 1573912577 16616 - - - > > 2002-07-09 16:00:49 DROP TCP 127.0.0.1 65.222.227.255 > > 21 24397 40 A 1107641688 2339176449 16616 - - - > > 2002-07-09 16:02:46 DROP TCP 127.0.0.1 65.222.227.1 21 > > 4631 40 A 1137074499 1547239425 16616 - - - > > 2002-07-09 16:03:35 DROP TCP 127.0.0.1 65.222.227.58 21 > > 24265 40 A 1149237606 2326331393 16616 - - - > > 2002-07-09 16:04:50 DROP TCP 127.0.0.1 65.222.227.193 > > 21 46334 40 A 1167975572 1481703425 16616 - - - > > 2002-07-09 16:05:54 DROP TCP 127.0.0.1 65.222.227.255 > > 21 43932 40 A 1184125492 2120286209 16616 - - - > > 2002-07-09 16:07:54 DROP TCP 127.0.0.1 65.222.227.1 21 > > 18067 40 A 1213983467 2356871169 16616 - - - > > 2002-07-09 16:08:43 DROP TCP 127.0.0.1 65.222.227.58 21 > > 25766 40 A 1226378215 3776249857 16616 - - - > > 2002-07-09 16:09:54 DROP TCP 127.0.0.1 65.222.227.193 > > 21 34759 40 A 1244087238 1134624769 16616 - - - > > 2002-07-09 16:11:00 DROP TCP 127.0.0.1 65.222.227.255 > > 21 32819 40 A 1260652350 1536950273 16616 - - - > > 2002-07-09 16:12:59 DROP TCP 127.0.0.1 65.222.227.1 21 > > 30896 40 A 1290440103 57933825 16616 - - - > > 2002-07-09 16:13:50 DROP TCP 127.0.0.1 65.222.227.58 21 > > 27243 40 A 1303242109 1163526145 16616 - - - > > 2002-07-09 16:15:01 DROP TCP 127.0.0.1 65.222.227.193 > > 21 4791 40 A 1321009627 51183617 16616 - - - > > 2002-07-09 16:16:07 DROP TCP 127.0.0.1 65.222.227.255 > > 21 16114 40 A 1337329759 1207566337 16616 - - - > > 2002-07-09 16:18:05 DROP TCP 127.0.0.1 65.222.227.1 21 > > 60937 40 A 1367027709 2753101825 16616 - - - > > 2002-07-09 16:18:57 DROP TCP 127.0.0.1 65.222.227.58 21 > > 7945 40 A 1379977654 1515520001 16616 - - - > > 2002-07-09 16:20:08 DROP TCP 127.0.0.1 65.222.227.193 > > 21 58487 40 A 1397713040 1683357697 16616 - - - > > 2002-07-09 16:21:13 DROP TCP 127.0.0.1 65.222.227.255 > > 21 7852 40 A 1414079077 1374027777 16616 - - - > > 2002-07-09 16:23:13 DROP TCP 127.0.0.1 65.222.227.1 21 > > 31829 40 A 1444010446 1832910849 16616 - - - > > 2002-07-09 16:24:03 DROP TCP 127.0.0.1 65.222.227.58 21 > > 42134 40 A 1456597809 2370043905 16616 - - - > > 2002-07-09 16:25:15 DROP TCP 127.0.0.1 65.222.227.193 > > 21 48191 40 A 1474677036 1793261569 16616 - - - > > 2002-07-09 16:26:19 DROP TCP 127.0.0.1 65.222.227.255 > > 21 18985 40 A 1490531613 4274192385 16616 - - - > > 2002-07-09 16:28:20 DROP TCP 127.0.0.1 65.222.227.1 21 > > 58435 40 A 1520806308 628293633 16616 - - - > > 2002-07-09 16:29:09 DROP TCP 127.0.0.1 65.222.227.58 21 > > 33063 40 A 1533094769 587792385 16616 - - - > > 2002-07-09 16:30:22 DROP TCP 127.0.0.1 65.222.227.193 > > 21 34872 40 A 1551511862 3294625793 16616 - - - > > 2002-07-09 16:31:24 DROP TCP 127.0.0.1 65.222.227.255 > > 21 55246 40 A 1566882639 2254635009 16616 - - - > > 2002-07-09 16:33:26 DROP TCP 127.0.0.1 65.222.227.1 21 > > 282 40 A 1597492247 2361720833 16616 - - - > > 2002-07-09 16:34:15 DROP TCP 127.0.0.1 65.222.227.58 21 > > 8368 40 A 1609821078 2197422081 16616 - - - > > 2002-07-09 16:35:30 DROP TCP 127.0.0.1 65.222.227.193 > > 21 22093 40 A 1628558895 2873360385 16616 - - - > > 2002-07-09 16:36:29 DROP TCP 127.0.0.1 65.222.227.255 > > 21 21506 40 A 1643280221 723320833 16616 - - - > > 2002-07-09 16:38:32 DROP TCP 127.0.0.1 65.222.227.1 21 > > 49495 40 A 1673999831 1337917441 16616 - - - > > 2002-07-09 16:39:23 DROP TCP 127.0.0.1 65.222.227.58 21 > > 2630 40 A 1686805847 2673868801 16616 - - - > > 2002-07-09 16:40:38 DROP TCP 127.0.0.1 65.222.227.193 > > 21 47099 40 A 1705561276 1971650561 16616 - - - > > 2002-07-09 16:41:34 DROP TCP 127.0.0.1 65.222.227.255 > > 21 12541 40 A 1719788892 3247374337 16616 - - - > > 2002-07-09 16:43:39 DROP TCP 127.0.0.1 65.222.227.1 21 > > 20892 40 A 1750849323 4029939713 16616 - - - > > 2002-07-09 16:44:28 DROP TCP 127.0.0.1 65.222.227.58 21 > > 56619 40 A 1763300043 62849025 16616 - - - > > 2002-07-09 16:45:45 DROP TCP 127.0.0.1 65.222.227.193 > > 21 53663 40 A 1782386724 3809280001 16616 - - - > > 2002-07-09 16:46:40 DROP TCP 127.0.0.1 65.222.227.255 > > 21 44093 40 A 1796280647 1961426945 16616 - - - > > 2002-07-09 16:48:45 DROP TCP 127.0.0.1 65.222.227.1 21 > > 43060 40 A 1827539914 3206152193 16616 - - - > > 2002-07-09 16:49:35 DROP TCP 127.0.0.1 65.222.227.58 21 > > 40576 40 A 1840015350 2806906881 16616 - - - > > 2002-07-09 16:50:52 DROP TCP 127.0.0.1 65.222.227.193 > > 21 38179 40 A 1859204304 2213150721 16616 - - - > > 2002-07-09 16:51:46 DROP TCP 127.0.0.1 65.222.227.255 > > 21 14921 40 A 1872870200 1129709569 16616 - - - > > 2002-07-09 16:53:51 DROP TCP 127.0.0.1 65.222.227.1 21 > > 31818 40 A 1904111567 1253048321 16616 - - - > > 2002-07-09 16:54:42 DROP TCP 127.0.0.1 65.222.227.58 21 > > 50804 40 A 1916875803 2446655489 16616 - - - > > 2002-07-09 16:55:59 DROP TCP 127.0.0.1 65.222.227.193 > > 21 331 40 A 1936045330 1610153985 16616 - - - > > 2002-07-09 16:56:53 DROP TCP 127.0.0.1 65.222.227.255 > > 21 22664 40 A 1949656360 1375797249 16616 - - - > > 2002-07-09 16:58:58 DROP TCP 127.0.0.1 65.222.227.1 21 > > 53434 40 A 1980967895 720175105 16616 - - - > > 2002-07-09 16:59:48 DROP TCP 127.0.0.1 65.222.227.58 21 > > 16960 40 A 1993475934 622592001 16616 - - - > > 2002-07-09 17:01:06 DROP TCP 127.0.0.1 65.222.227.193 > > 21 30064 40 A 2012899853 3771072513 16616 - - - > > 2002-07-09 17:01:58 DROP TCP 127.0.0.1 65.222.227.255 > > 21 14187 40 A 2025993664 1508900865 16616 - - - > > 2002-07-09 17:04:05 DROP TCP 127.0.0.1 65.222.227.1 21 > > 43269 40 A 2057678046 2351104001 16616 - - - > > 2002-07-09 17:04:55 DROP TCP 127.0.0.1 65.222.227.58 21 > > 62018 40 A 2070227715 157810689 16616 - - - > > 2002-07-09 17:06:12 DROP TCP 127.0.0.1 65.222.227.193 > > 21 60323 40 A 2089456089 2509635585 16616 - - - > > 2002-07-09 17:07:04 DROP TCP 127.0.0.1 65.222.227.255 > > 21 38491 40 A 2102571253 3855876097 16616 - - - > > 2002-07-09 17:09:11 DROP TCP 127.0.0.1 65.222.227.1 21 > > 6494 40 A 2134375022 3345350657 16616 - - - > > 2002-07-09 17:10:02 DROP TCP 127.0.0.1 65.222.227.58 21 > > 25453 40 A 2147059546 226361345 16616 - - - > > 2002-07-09 17:11:18 DROP TCP 127.0.0.1 65.222.227.193 > > 21 1746 40 A 2166074335 1824260097 16616 - - - > > 2002-07-09 17:12:11 DROP TCP 127.0.0.1 65.222.227.255 > > 21 11900 40 A 2179429687 2000224257 16616 - - - > > > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Michael H. Warfield | (770) 985-6132 | mhwat_private /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 16:45:44 PDT