One observed pattern of Win 55808 packets

From: Golden Faron P Contr HQ SSG/SWSN (Faron.Goldenat_private)
Date: Wed Jun 18 2003 - 15:05:28 PDT

Next message: Johnson, Greg: "RE: SNMP search for printers?"

Previous message: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some sample data of one characteristic behavior of the odd SYN packets
with Window Size 55808.  Notice the varying TTL values and the single
variance of the Packet ID while the Sequence number remains constant
along with the source/destination pairs.  Comments welcome, remembering
that this is just one of many characteristic behaviors observed

12:06:25.925509 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1414,nop,wscale 2,nop,nop,sackOK>
(ttl 109, id 19843, len 52)
12:07:58.047912 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 110, id 19843, len 52)
12:11:00.234395 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 116, id 19843, len 52)
12:40:38.889195 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 21122, len 52)
12:40:58.111835 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 115, id 19843, len 52)
12:43:02.731505 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 19843, len 52)
12:46:01.337882 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 19843, len 52)
12:57:50.059664 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 113, id 19843, len 52)



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Johnson, Greg: "RE: SNMP search for printers?"
Previous message: Tim Greer: "Re: chkrootkit and LKM?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 20:49:26 PDT