odd RST packets with 55808

From: Golden Faron P Contr HQ SSG/SWSN (Faron.Goldenat_private)
Date: Thu Jun 19 2003 - 13:56:38 PDT

Next message: Joe Stewart: "[Full-Disclosure] ISS "Stumbler" advisory questions"

Previous message: James C. Slora, Jr.: "RE: sdbot variant and WS 55808 activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The packets below were noted on our network and are apparently results
of spoofed packets with Window Size 55808..the destination hosts do not
exist.




12:11:12.580814 165.231.184.155.55403 > myIP1.40540: R [tcp sum ok]
0:4(4) ack 11428489 win 55808 [RST ehnc] (ttl 14, id 0, len 44)
0x0000   4500 002c 0000 0000 0e06 2a53 a5e7 b89b        E..,......*S....
0x0010   xxxx xxxx d86b 9e5c 0000 0000 00ae 6289        .?...k.\......b.
0x0020   5014 da00 a586 0000 6568 6e63 0000             P.......ehnc..

12:21:10.062653 167.191.188.8.35349 > myIP2.45573: R [tcp sum ok] 0:4(4)
ack 4075582128 win 55808 [RST ehnc] (ttl 14, id 0, len 44)
0x0000   4500 002c 0000 0000 0e06 10ed a7bf bc08        E..,............
0x0010   xxxx xxxx 8a15 b205 0000 0000 f2ec 72b0        .?............r.
0x0020   5014 da00 c467 0000 6568 6e63 0000             P....g..ehnc..

12:58:25.375196 24.60.37.32.63221 > myIP3.1437: R [tcp sum ok] 0:0(0)
ack 2312514947 win 55808 (ttl 130, id 15545, len 40)
0x0000   4500 0028 3cb9 0000 8206 33c2 183c 2520        E..(<.....3..<%.
0x0010   xxxx xxxx f6f5 059d 0000 0000 89d6 2d83        .?............-.
0x0020   5014 da00 598e 0000 0000 0000 0000             P...Y.........

12:13:40.330048 24.138.84.223.10087 > myIP4.47601: R [tcp sum ok] 0:4(4)
ack 2314047968 win 55808 [RST ehnc] (ttl 14, id 0, len 44)
0x0000   4500 002c 0000 0000 0e06 5fa1 188a 54df        E..,......_...T.
0x0010   xxxx xxxx 2767 b9f1 0000 0000 89ed 91e0        .?\.'g..........
0x0020   5014 da00 b7ad 0000 6568 6e63 0000             P.......ehnc..

12:21:16.405254 25.2.92.40.16921 > myIP5.376: R [tcp sum ok] 0:4(4) ack
2293688568 win 55808 [RST ehnc] (ttl 14, id 0, len 44)
0x0000   4500 002c 0000 0000 0e06 c65f 1902 5c28        E..,......._..\(
0x0010   xxxx xxxx 4219 0178 0000 0000 88b6 e8f8        .?..B..x........
0x0020   5014 da00 6652 0000 6568 6e63 0000             P...fR..ehnc..

12:01:25.245077 26.70.158.55.18427 > myIP6.37052: R [tcp sum ok] 0:4(4)
ack 247220371 win 55808 [RST ehnc] (ttl 14, id 0, len 44)
0x0000   4500 002c 0000 0000 0e06 26d7 1a46 9e37        E..,......&..F.7
0x0010   xxxx xxxx 47fb 90bc 0000 0000 0ebc 4893        .?J9G.........H.
0x0020   5014 da00 4c03 0000 6568 6e63 0000             P...L...ehnc..

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Joe Stewart: "[Full-Disclosure] ISS "Stumbler" advisory questions"
Previous message: James C. Slora, Jr.: "RE: sdbot variant and WS 55808 activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 20:05:30 PDT