FWIW Here's some traffic picked up on one of my DMZ's. I'll be looking for more detail... Bob 13:10:39.742501 45.254.100.11.43834 > My.Net.224.6.46146: S 836732222:836732222(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:14:07.022501 45.254.100.11.43834 > My.Net.224.6.46146: S 836732222:836732222(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:22:21.792501 45.254.100.11.43834 > My.Net.224.6.46146: S 836732222:836732222(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:43:20.652501 45.254.100.11.43834 > My.Net.224.6.46146: S 836732222:836732222(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:55:49.022501 45.254.100.11.43834 > My.Net.224.6.46146: S 836732222:836732222(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:16:37.962501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:23:11.052501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:41:15.712501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:42:57.452501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:46:14.092501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:55:03.742501 167.242.48.211.54041 > My.Net.224.223.54114: S 58878078:58878078(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:11:16.652501 195.21.212.105.12337 > My.Net.224.101.31887: S 1762176743:1762176743(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:13:29.072501 195.21.212.105.12337 > My.Net.224.101.31887: S 1762176743:1762176743(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:15:15.502501 195.21.212.105.12337 > My.Net.224.101.31887: S 1762176743:1762176743(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK> 13:34:26.872501 218.84.160.5.31071 > My.Net.224.101.31887: S 1762176743:1762176743(0) win 55808 <mss 1322,nop,wscale 2,nop,nop,sackOK> -----Original Message----- From: Golden Faron P Contr HQ SSG/SWSN [mailto:Faron.Goldenat_private] Sent: Thursday, June 12, 2003 11:44 AM To: Ken Eichman; James C. Slora Jr.; Incidentsat_private; Intrusionsat_private Subject: RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Ken, Your data matches closes with what we have observed...growing number of spoofed sources, growing number of hits, growing number of "pairs"....I truly believe "something is definitely happening under our noses"! Faron -----Original Message----- From: Ken Eichman [mailto:keichmanat_private] Sent: Thursday, June 12, 2003 12:29 PM To: James C. Slora Jr.; Incidentsat_private; Intrusionsat_private Subject: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) Following up on the '"odd" TCP SYN packets with winsize 55808' thread, here's a chart of the growth in volume of this traffic seen at my /16. I've seen very little discussion about it although I did run across the following news article. http://www.gcn.com/vol1_no1/daily-updates/22371-1.html It's hard to get an exact count of the traffic, but these numbers should be very close. This is the daily unique count of each category; unique number of packets (hits), number of unique source IP addresses, unique source ports, etc. seen here each 24-hour GMT period. Date Hits SrcIP SrcPort DstIP DstPort Seq# ---- ---- ----- ------- ----- ------- ---- 0516 0 0 0 0 0 0 0517 235 188 212 230 229 230 0518 128 114 113 121 121 121 0519 146 87 108 119 112 129 0520 251 194 191 214 213 215 0521 343 259 251 290 291 291 0522 439 245 239 279 278 301 0523 774 414 438 479 479 486 0524 760 397 446 467 467 476 0525 651 406 414 413 411 414 0526 1408 581 613 622 620 632 0527 2351 622 657 703 700 719 0528 3826 643 872 900 884 941 0529 5573 663 1047 1099 1092 1118 0530 5966 688 981 1072 1067 1100 0531 5659 685 859 940 938 998 0601 7806 751 1219 1247 1231 1304 0602 10508 816 1453 1410 1410 1593 0603 15676 1061 2295 1751 1735 2261 0604 20914 1027 2265 1665 1659 2342 0605 32168 1207 3155 1832 1822 3200 0606 38958 1239 3451 1885 1853 3155 0607 39596 1265 3691 1862 1841 2679 0608 37017 1215 2895 1833 1815 1941 0609 45924 1419 3567 1879 1874 2915 0610 50507 1435 3353 1889 1875 3152 0611 64757 1842 3889 1910 1885 3295 0612* 28511 1229 2321 1799 1779 2296 * - 11 hours of activity only I don't know what, if anything these numbers show, other than an increase in traffic volume. Hard to say if it means the number of compromised hosts is increasing, although that might be a logical conclusion. Best I can determine, this traffic apparently first showed up here at 00:05 GMT on May 17. Most (all?) of it is spoofed, with many one-to-one source IP probers, eg: Date Time TCP Seq# Source Address Port Target Address Port 06/12/2003 10:23:24 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 10:42:20 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 10:42:42 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 10:54:54 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 11:12:22 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 11:17:52 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 11:33:25 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 11:35:44 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 06/12/2003 11:42:51 EC03F241 147.232.196.201 10849 -> XX.XX.88.74 40829 And many one-to-many source IP probers, eg: Date Time TCP Seq# Source Address Port Target Address Port 06/12/2003 09:05:35 445A0CF0 210.170.253.17 0 -> XX.XX.2.39 44594 06/12/2003 09:11:21 5E078280 210.170.253.17 0 -> XX.XX.46.76 43927 06/12/2003 09:16:09 7D20203 210.170.253.17 0 -> XX.XX.158.85 45429 06/12/2003 09:22:02 9C214347 210.170.253.17 0 -> XX.XX.157.178 61118 06/12/2003 09:22:06 B311B137 210.170.253.17 0 -> XX.XX.77.25 3845 06/12/2003 09:24:14 9071F12D 210.170.253.17 0 -> XX.XX.80.242 60371 06/12/2003 09:24:28 98D3B2D 210.170.253.17 0 -> XX.XX.39.4 41641 06/12/2003 09:24:50 80CBE480 210.170.253.17 0 -> XX.XX.75.135 23663 06/12/2003 09:25:02 DBD4FD0F 210.170.253.17 0 -> XX.XX.13.150 33728 With occasional overlap: Date Time TCP Seq# Source Address Port Target Address Port 06/12/2003 06:14:31 EC03F241 210.170.253.17 0 -> XX.XX.88.74 40829 All of the packets have had nothing in the data field so I can't say much more other than these statistical header numbers. I do agree with a previous poster though who said something appears to be happening under our noses.. Ken Eichman Senior Scientist Chemical Abstracts Service IT Information Security 2540 Olentangy River Road 614-447-3600 ext. 3230 Columbus, OH 43210 keichmanat_private ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ ---- **************************************************************************** This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. **************************************************************************** ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 13:16:03 PDT