Fabio Panigatti wrote: > Well... it's also likely that my host isn't really a node of the trojan/bot > net but that was erroneusly inserted in some ip adresses database. I am monitoring a fallow /21, at least 50% of which has never been routed by us and quite possibly never in use on the Internet at all. It is receiving large amounts of this traffic. I believe, from what I am seeing, that the destination hosts are randomly chosen. I dumped a very small excerpt of some of the traffic here, grouped by destination address: http://multiversity.net/55808.html Interesting to note the seq id #'s are unique per target host, but persistently the same across multiple probes. Why is the source of this bothering to spend CPU cycles generating a unique seq #? (possibly to minimize the number of points at which it can be filtered? or is it truly random, vs. a hash of other characteristics?) Also interesting to note that some IPs are hit multiple times in my sample period, while others received none. I.E. in an hour, I might see 3-4 targets in a given /24, but each receives 2-10 hits. One alternative to the trojan theory, is that this is some type of one-to-many TCP/IP steganography, where the recipients' IP addresses are unknown, ala: http://www.firstmonday.dk/issues/issue2_5/rowland/ ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 15:35:57 PDT