RE: Port 0 packets

From: Stuart (secmailat_private)
Date: Fri Jul 25 2003 - 18:26:43 PDT

  • Next message: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    I did install snort but the box has been rebuilt since, ISA is what
    is running on it at the moment. So if snort can have problems no
    doubt ISA will :) 
    They're quiet irritating as there's nothing I can find in packet
    captures that's causing them to come in :S
    
    Stu
    
    - -----Original Message-----
    From: Toby Miller [mailto:toby_millerat_private] 
    Sent: 26 July 2003 02:18
    To: Dave Paris; Russell Fulton
    Cc: Stuart; incidentsat_private
    Subject: RE: Port 0 packets
    
    - -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    We have been seeing these port 0 packets since we installed
    snort-2.0.0. At first we thought we had been missing something but
    further investigation revealed that snort was not reading the packets
    correctly.
    
    										Toby
    
    - - -----Original Message-----
    From: Dave Paris [mailto:dparisat_private]
    Sent: Thursday, July 24, 2003 4:05 PM
    To: Russell Fulton
    Cc: Stuart; incidentsat_private
    Subject: Re: Port 0 packets
    
    
    Our IDS spotted another TCP port 0 packet at 19:59pm UTC today
    (Thursday).  Headers follow:
    
    [**] (snort_decoder): T/TCP Detected [**]
    07/24-19:59:51.308749 216.136.173.246:0 -> xxx.xxx.xxx.xxx:0
    TCP TTL:55 TOS:0x0 ID:41202 IpLen:20 DgmLen:68 DF
    ******S* Seq: 0x73C13DA0  Ack: 0x0  Win: 0xFFFF  TcpLen: 48
    TCP Options (9) => MSS: 1460 NOP WS: 1 NOP NOP TS: 15026415 0
    TCP Options => NOP NOP CCNEW: 248555
    
    Kind Regards,
    - - -dsp
    
    On Wednesday, Jul 23, 2003, at 16:38 US/Eastern, Russell Fulton
    wrote:
    
    > On Wed, 2003-07-23 at 12:28, Stuart wrote:
    >> Hi,
    >>
    >> After currently reviewing firewall logs from ISA server I have
    >> come across a period of where the box was hit with an aprox.
    >> average of 3   - 4
    >> packets per 5 minute period for 8 hours.
    >
    > Over the last few day sort has been complaining about packets on
    > TCP 0 to an address in our network. I finally got to investigate it
    >
    > yesterday.
    >
    > The packets were coming from two IP addresses in China and were tcp
    >   with
    > RST+ACK flags set. I then used our argus <www.qosient.com> logs to
    > examine all the traffic between the addresses.  It turned out that
    > that there was a flood of incoming packets with random source and
    > destination
    > ports.  So snort was triggering on a tiny proportion of the total
    > packets.
    >
    > I concluded that this was fallout from a DOS attack on the two
    > Chinese machines in which our address had been spoofed.
    >
    > Give the frequency of your packets and the likelihood that you
    > would have noticed if there was other traffic from the source this
    > probably   is
    > not the same scenario.  One thing that would help us work out
    > possible causes is some more details about the packets -- TCP or
    > UDP, flags etc.
    >
    > --
    > Russell Fulton, Network Security Officer, The University of
    > Auckland, New Zealand.
    >
    >
    > --------------------------------------------------------------------
    > ---  ----
    > --------------------------------------------------------------------
    > ---  -----
    >
    >
    >
    
    
    - - ----------------------------------------------------------------------
    - - -----
    - - ----------------------------------------------------------------------
    - - ------
    
    
    - -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBPyHWqlLhpjRJgUE5EQJl2gCeMzDWRpvuOB7k1855faVlicb6ANsAoJqd
    sO7AIH2qCN6SN7RN/+lbvXwz
    =7MW9
    - -----END PGP SIGNATURE-----
    
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2
    
    iQIVAwUBPyHY0pMRMj30dWmZAQJysQ//U8MjzNQcnn0xVL33ku7XmzcfUZLZ0asI
    rK8u9CVO0zxtOL69h3Cu+BNx/S3U+15PTcSgW4UwvY2mUrAwdr/GfnLOee5USN2p
    5Zq7O4Od61P4LRnpikTtpU+RpBO97OTNqeBnf5xwJxATQZwUVxEM+9YrntN9pa1Z
    L8B7zus6tFyFchxU4jnMR4NJuifSsORqeRwSCmj9ppPYg6/0c28bBqtGxk1cHe/m
    utT0ozqi94dW1rrgXvuZX/+eGu1hfQyA/GSPgYsnSwodgvjy+9utU5X61ryg1Q5H
    MS0skdaw8c7xS/PvH7ggaLXgiaGcnXJzoE5+/EZmTEhIGmKZIKObGfQhyHk0U8La
    wjYziZ5uo0W4tRS2fiLE9LNZH4Vnq1Dowj2lea2PYSnVTAn6CHEUpGQz5CDzvwtz
    7PJSXoV7EUrybGqnedtJbd5l7FzRh565OOAZr5Jg+lSmW2NzXbdgyFOXbKDeqM0R
    W/LR6rXga1DXuwX1KbWfSp14Xuai1rxUXRzb9RDQv/JZGy+6SQ5K60Ls/aK0aBTw
    T8KgdcwEd7GgGRTCXC1PBzjDV2rx1L+m4sRhZ/WjENQXX+ezdMhnm/F8NgaFXpyH
    W9TyFFaJDWioVMQkEN+P3ZFWYl0aoLkyg0J9UF2wY4UOvoWOzQWWOzuUEU4O54l1
    16kcsq2ABU0=
    =jVYJ
    -----END PGP SIGNATURE-----
    
    
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:25:20 PDT