We have all been looking for activity on 17300. I have a honeypot running on this port
which promptly ACKed back on that port. The probe promptly returned within 10 seconds
with a second probe.
Its common to get RSTs back from attacking host, which we in the intrusion
community have been dismissing as responses from spoofed address. However I did have
a second TCP probe from the same server which throws that idea away.
Its normal for most OS to send an RST on a SYN-ACKs which is not initiated by it
(or if the SYN is crafted by a tool running on it), so I was tempted to say that
RST here was generated by the source host after I sent the SYN-ACK of the first
packet. But the fingerprint of the second probe doesn't match the RST of the first
probe, leading me to believe that this was either generated by its firewall, or
by the tool itself to force our logs to believe that this was a reply from spoofed
address.
There are significant fingerprinting differences between the first probe and second probe.
Its easy to figure out that the first probe is actually crafted, but the difference between
first and second packet of the first probe can uniquely fingerprint this tool anywhere else
on the internet. The TTL differs by 11 hops... and I'm tempted to bet that this could be bug in
this attacking tool.
BTW, can someone tell me the importance of "Window Scale=0" ?
Here is some more info... and the packet dump itself.
1. TTL changes from 113 to 244 between a Syn and a Rset in the first probe
2. IP ID is very different between Syn and RST of the first probe.
3. However IPID is sequential in the second probe
4. The remote site ACKs my SYN-ACK and waits for reply from the victim host.
5. Fingerprint of first probe
Window size of the first packet is 0xC23C
TTL 113,244 (+11 is the hops I counted to that system) = 124,255
IPID is random (or 2 different systems, or crafted)
6. Fingerprints of second probe
window size of the second packet is 0x7D78
TTL 53 (11 is the hops I counted to that system) = 64
SACKOK
TS 317697848
WS 0
-----Original Message-----
---------------
01:58:53.790082 204.42.204.151.17300 > 24.219.XX.XX.17300: S [tcp sum ok] 490674844:490674844(0) win 49724 (ttl 113, id 21549, len 40)
4500 0028 542d 0000 7106 39ae cc2a cc97
18db XXXX 4394 4394 1d3f 1a9c 0da5 8c9f
5002 c23c d868 0000 0000 0000 0000
01:58:53.798301 24.219.XX.XX.17300 > 204.42.204.151.17300: S [tcp sum ok] 0:0(0) ack 490674845 win 65535 (DF) [tos 0x10] (ttl 64, id 0, len 40)
4510 0028 0000 4000 4006 7ecb 18db XXXX
cc2a cc97 4394 4394 0000 0000 1d3f 1a9d
5012 ffff 34d9 0000
01:58:53.908607 204.42.204.151.17300 > 24.219.XX.XX.17300: R [tcp sum ok] 490674845:490674845(0) win 0 (ttl 244, id 48833, len 40)
4500 0028 bec1 0000 f406 4c19 cc2a cc97
18db XXXX 4394 4394 1d3f 1a9d 0000 0000
5004 0000 34e7 0000 0000 0000 0000
01:59:04.012423 204.42.204.151.2195 > 24.219.XX.XX.17300: S [tcp sum ok] 31094744:31094744(0) win 32120 <mss 1460,sackOK,timestamp 317697848 0,nop,wscale 0> (DF) (ttl 53, id 49933, len 60)
4500 003c c30d 4000 3506 c6b9 cc2a cc97
18db XXXX 0893 4394 01da 77d8 0000 0000
a002 7d78 8698 0000 0204 05b4 0402 080a
12ef af38 0000 0000 0103 0300
01:59:04.019866 24.219.XX.XX.17300 > 204.42.204.151.2195: S [tcp sum ok] 0:0(0) ack 31094745 win 65535 (DF) [tos 0x10] (ttl 64, id 0, len 40)
4510 0028 0000 4000 4006 7ecb 18db XXXX
cc2a cc97 4394 0893 0000 0000 01da 77d9
5012 ffff 2e03 0000
01:59:04.145460 204.42.204.151.2195 > 24.219.XX.XX.17300: . [tcp sum ok] 31094745:31094745(0) ack 1 win 32120 (DF) (ttl 53, id 49945, len 40)
4500 0028 c319 4000 3506 c6c1 cc2a cc97
18db XXXX 0893 4394 01da 77d9 0000 0001
5010 7d78 b08b 0000 0000 0000 0000
01:59:04.145596 24.219.XX.XX.17300 > 204.42.204.151.2195: R [tcp sum ok] 1:1(0) win 0 (DF) (ttl 64, id 0, len 40)
4500 0028 0000 4000 4006 7edb 18db XXXX
cc2a cc97 4394 0893 0000 0001 0000 0000
5004 0000 a7c3 0000
----+----
This email message (and any attached document) contains information from Ingenuity Systems Inc. which may be considered confidential by Ingenuity, or which may be privileged or otherwise exempt from disclosure under law, and is for the sole use of the individual or entity to whom it is addressed. Any other dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, please notify me and destroy the attached message (and all attached documents) immediately.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 19:30:55 PST