I began noticing this "random" packet activity during the last week of May, and sent a note to CERT on 5/29. What I'm seeing is a one-to-one relationship between most source IP/port and destination IP/port packets. However from a few source IP's there is a one-to-many source-to-destination relationship. What is interesting is the exact same packets (sent from a one-to-many source) also show up from a one-to-one source. I.e, 151.11.190.23 and 133.220.162.119 are one-to-one sources, and 24.118.114.71 is a one-to-many source: Date Time TCP Seq# Source Address Port Target Address Port 05/29/2003 02:54:01 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 03:10:15 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 06:10:23 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 06:10:53 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 06:57:16 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 07:34:44 4E4CC713 24.118.114.71 25886 -> XXX.XX.1.251 24141 05/29/2003 07:46:45 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 09:44:14 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 05/29/2003 13:14:58 4E4CC713 151.11.190.23 25886 -> XXX.XX.1.251 24141 Date Time TCP Seq# Source Address Port Target Address Port 05/29/2003 01:51:38 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 04:45:23 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 05:00:56 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 08:03:52 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 09:26:24 4AE14A35 24.118.114.71 24190 -> XXX.XX.101.195 29888 05/29/2003 09:38:56 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 11:05:52 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 11:43:30 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 05/29/2003 13:38:50 4AE14A35 133.220.162.119 24190 -> XXX.XX.101.195 29888 Date Time TCP Seq# Source Address Port Target Address Port 05/29/2003 05:57:29 D5A3071E 24.118.114.71 2538 -> XXX.XX.114.255 49961 05/29/2003 06:03:25 41956321 24.118.114.71 20718 -> XXX.XX.109.63 4187 05/29/2003 06:03:53 5CFA533B 24.118.114.71 29026 -> XXX.XX.194.108 40519 05/29/2003 06:08:40 5A726357 24.118.114.71 60991 -> XXX.XX.247.55 56598 05/29/2003 06:15:57 F1E1FEAB 24.118.114.71 9997 -> XXX.XX.240.152 47417 05/29/2003 06:28:38 8ABCF738 24.118.114.71 20822 -> XXX.XX.129.210 16730 05/29/2003 06:29:49 97FB428B 24.118.114.71 28706 -> XXX.XX.121.129 9987 05/29/2003 06:30:22 43BD0FEB 24.118.114.71 4133 -> XXX.XX.205.32 28789 05/29/2003 06:30:35 B869A537 24.118.114.71 45387 -> XXX.XX.115.132 31733 05/29/2003 06:44:15 300E57D 24.118.114.71 44483 -> XXX.XX.82.132 11984 05/29/2003 07:03:42 DFD2ABFB 24.118.114.71 48202 -> XXX.XX.234.114 5076 05/29/2003 07:07:02 7A8CE2CC 24.118.114.71 25213 -> XXX.XX.25.27 60786 05/29/2003 07:09:44 F5CBEF9 24.118.114.71 8627 -> XXX.XX.201.206 5423 05/29/2003 07:13:09 15D1640 24.118.114.71 24543 -> XXX.XX.247.36 6853 05/29/2003 07:20:16 C4CA567D 24.118.114.71 23306 -> XXX.XX.60.208 39526 05/29/2003 07:27:17 38827CA8 24.118.114.71 2181 -> XXX.XX.10.48 35124 05/29/2003 07:34:44 4E4CC713 24.118.114.71 25886 -> XXX.XX.1.251 24141 05/29/2003 07:40:29 DCFD34AD 24.118.114.71 18589 -> XXX.XX.140.100 17423 05/29/2003 07:42:09 EDDC48AB 24.118.114.71 23431 -> XXX.XX.51.2 1561 05/29/2003 07:43:07 190779F8 24.118.114.71 40084 -> XXX.XX.93.87 41864 05/29/2003 07:47:22 5B81F638 24.118.114.71 2612 -> XXX.XX.83.253 44231 05/29/2003 07:50:45 356511C8 24.118.114.71 7851 -> XXX.XX.32.127 3696 05/29/2003 07:52:23 26DFBD4C 24.118.114.71 19327 -> XXX.XX.86.3 56459 05/29/2003 07:54:47 4A911F4E 24.118.114.71 43070 -> XXX.XX.194.161 12178 05/29/2003 08:00:21 65A86341 24.118.114.71 32001 -> XXX.XX.180.49 25795 05/29/2003 08:00:38 DE844A88 24.118.114.71 26637 -> XXX.XX.134.160 42131 05/29/2003 08:05:06 88D4A8D6 24.118.114.71 12839 -> XXX.XX.251.235 62720 05/29/2003 08:06:06 E126DEE7 24.118.114.71 48685 -> XXX.XX.116.222 22370 05/29/2003 08:27:05 3743AF56 24.118.114.71 53435 -> XXX.XX.2.35 60068 05/29/2003 08:33:25 105F811C 24.118.114.71 64651 -> XXX.XX.221.117 35672 05/29/2003 08:42:16 96DC2BDD 24.118.114.71 14954 -> XXX.XX.83.32 4960 05/29/2003 08:45:04 456DD9B 24.118.114.71 54565 -> XXX.XX.104.62 13647 05/29/2003 08:46:34 116F092B 24.118.114.71 21331 -> XXX.XX.90.82 58567 05/29/2003 08:48:34 F1B17406 24.118.114.71 54592 -> XXX.XX.146.197 59874 05/29/2003 08:48:55 33B6C200 24.118.114.71 50594 -> XXX.XX.47.13 41173 05/29/2003 08:50:46 663F481C 24.118.114.71 45481 -> XXX.XX.119.84 62644 05/29/2003 08:55:06 79557574 24.118.114.71 56763 -> XXX.XX.3.137 46403 05/29/2003 08:58:14 2A2E0F 24.118.114.71 1487 -> XXX.XX.212.19 60113 05/29/2003 09:10:01 CA20FA3 24.118.114.71 56489 -> XXX.XX.95.205 34095 05/29/2003 09:10:34 CEC1EE6C 24.118.114.71 33815 -> XXX.XX.64.38 38416 05/29/2003 09:11:45 C866877F 24.118.114.71 19616 -> XXX.XX.185.95 46190 05/29/2003 09:17:00 1DD996BD 24.118.114.71 17281 -> XXX.XX.169.40 9518 05/29/2003 09:21:37 58F4C371 24.118.114.71 17322 -> XXX.XX.52.221 35834 05/29/2003 09:22:52 5843AA36 24.118.114.71 34719 -> XXX.XX.4.92 18034 05/29/2003 09:26:24 4AE14A35 24.118.114.71 24190 -> XXX.XX.101.195 29888 05/29/2003 09:32:53 B24A4779 24.118.114.71 54980 -> XXX.XX.224.35 49977 Over the weekend of 5/31-6/1 I was seeing these packets from 660 unique source addresses. This has slowly grown to 2200 source addresses this past weekend (6/7-6/8). All I'm capturing here are empty SYN packets -- sometimes, but rarely followed by a RST: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/07-20:32:09.679693 202.232.48.93:62081 -> XXX.XX.40.142:32433 TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52 ******S* Seq: 0x202F0239 Ack: 0x0 Win: 0xDA00 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/08-09:59:20.304527 24.118.114.71:62081 -> XXX.XX.40.142:32433 TCP TTL:113 TOS:0x0 ID:723 IpLen:20 DgmLen:52 ******S* Seq: 0x202F0239 Ack: 0x0 Win: 0xDA00 TcpLen: 32 TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/08-09:59:25.782971 24.118.114.71:62081 -> XXX.XX.40.142:32433 TCP TTL:113 TOS:0x0 ID:59520 IpLen:20 DgmLen:40 *****R** Seq: 0x202F023A Ack: 0x202F023A Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ On the surface it looks like a slowly spreading worm, but I haven't seen anything from it besides a lot of TCP background noise.. Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichmanat_private > From incidents-return-5774-keichman=cas.orgat_private Mon Jun 9 11:37:32 2003 > Subject: RE: Help with an odd log file... > Date: Fri, 6 Jun 2003 10:55:25 -0500 > From: "Golden Faron P Contr HQ SSG/SWSN" <Faron.Goldenat_private> > To: <sec_slaveat_private>, <intrusionsat_private>, > <incidentsat_private> > > Based on observations here, the strange packets are showing up > everywhere. Try running a capture that triggers on Window Size of 55808 > and see what you find...Have been seeing a steadily increasing flow of > packets like the ones described below..Some interesting things are that > once a random source sends a SYN packet from a random port to a random > destination on a random host, the packet is repeated at irregular > intervals. Same source port, same source host, same destination host, > same destination port, same Sequence number, same window size... > > Still no explanation > >> -----Original Message----- >> From: sec_slaveat_private [mailto:sec_slaveat_private] >> Sent: Tuesday, June 03, 2003 4:04 PM >> To: intrusionsat_private; incidentsat_private >> Subject: Help with an odd log file... >> >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello. >> >> I am looking for some assistance in trying to identify the nature of >> a suspected scan/attack against my corporate network. >> >> The scan/attack includes spoofed source addresses that cover a wide >> range >> of IP networks. There is also a relationship between source and >> destination addresses and ports for each entry. Each combination of >> address and port information appears between 3 and 8 times, all trickled >> in over a 3 day period. Normally, something like this might be >> identified >> as a TCP SYN SCAN, but the traffic is coming in too slowly and the >> destination >> ports are all upper level ports (as you can see). >> >> The pattern is one with which I am not familiar and would appreciate >> your assistance in identifying. >> >> Thnx, >> >> >> Sorted by source IP: >> >> Date/Time Source IP/Port Dest IP/Port >> May 25 13:53:48 2.66.161.64:55518 XX6.X37.153.7:61323 >> >> < snip. > >> >> Captured Frame Sample: >> >> < snip.> >> >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at https://www.hushtools.com/verify >> Version: Hush 2.3 >> >> wkYEARECAAYFAj7dDSgACgkQbTw24P1BTGJXaQCgsLPS0niweOjKLZSIRKUVWioqoTAA >> oIDwlD0AxJojtPAhIdlunJmyAG1R >> =US/J >> -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 10:01:17 PDT