Bugtraq mailing list archives

notes on Port scanning

From: lev () APPLE COM (Lloyd Vancil)
Date: Wed, 8 Jul 1998 16:06:51 -0700


Recently A spate of "portscanning attacks" have been attibuted to various
high traffic
sites ond servers on the net.  Here is an observation.

Below is one of the "scanning packets".  Specifically in this case the
tcp part of the packet has been replaced in such a way that you might
mistake it for a port scanning attack.  It would certainly trip tcp
filters.  This particular packet began life as a ligitimate email packet
in a stream between Apple's email server and the MIT email server.  This
one packet in the stream was munged.

Specifically the entire tcp part of the packet has been replaced by 78 FF
02 14
repeated over and over again.  The tcp header, everything.

This made it look like wierd things were happening

The sourceport  is 30975 = hex 78ff
The Dest port is 532 = hex 214
The Initial sequence number and Acknowledgment number   = 2029978132 =
78ff0214
The flags is set to ff
The Checksum  = 78FF
The Urgent pointer is 532 = hex 214

You will notice the repeated pattern 78 FF 02 14
(the packet fragment is attached.)

We have determined that our equipment is not doing this and that it
occurs to a few packets in almost any stream. The pattern repeated is not
always 78ff0214. Because of filtering it was generating almost 65MB of
log files daily.


SO, here's the question.
  If you sniff packets and capture this type of activity could you send
me a traceroute
  from your establisment to the system that is "apparently"
"portscanning" you.  The object here is to analyze the path over which
this is occuring to try to narrow down where it is happening.

  Here is the traceroute for the path overwhich this particular packet
traveled.

 1  LL-HUB.LL.MIT.EDU (129.55.10.1)  3.515 ms  4.265 ms  2.523 ms
 2  lincoln-gw.near.net (129.55.15.2)  5.312 ms  5.129 ms  5.776 ms
 3  cambridge2-cr3.bbnplanet.net (199.95.64.177)  61.448 ms  106.771 ms
132.239 ms
 4  cambridge2-br2.bbnplanet.net (192.233.33.6)  23.658 ms  60.333 ms  10
ms
 5  cambridge1-br1.bbnplanet.net (4.0.1.201)  14.073 ms  7.509 ms  8.525
ms
 6  core10-hssi-1.SanFrancisco.mci.net (204.70.10.221)  13.952 ms  11.017
ms  19.617 ms
 7  bordercore2.WillowSprings.mci.net (166.48.22.1)  36.64 ms  32.246 ms
67.459 ms
 8  core2.Dallas.mci.net (204.70.4.69)  51.571 ms  50.028 ms  59.195 ms
 9  borderx1-fddi-1.Dallas.mci.net (204.70.114.52)  54.696 ms  56.805 ms
64.161 ms
10  diamond-net.Dallas.mci.net (204.70.114.106)  71.301 ms  67.505 ms
59.686 ms
11  APPLE-1.DllsTX.savvis.net (209.44.32.2)  316.68 ms  142.599 ms
250.019 ms
12  209.44.33.18 (209.44.33.18)  97.149 ms  90.555 ms  91.014 ms
13  tre.apple.com (205.180.175.29)  407.373 ms  337.825 ms  106.116 ms
14  mail-out2.apple.com (17.254.0.51)  107.062 ms *  101.546 ms





The  tcp part

TCP:  ----- TCP header -----
TCP:
TCP:  Source port             = 30975
TCP:  Destination port        = 532 (Netnews)
TCP:  Initial sequence number = 2029978132
TCP:  Acknowledgment number   = 2029978132
TCP:  Data offset             = 28 bytes
TCP:  Flags                   = FF
TCP:                ..1. .... = Urgent pointer
TCP:                ...1 .... = Acknowledgment
TCP:                .... 1... = Push
TCP:                .... .1.. = Reset
TCP:                .... ..1. = SYN
TCP:                .... ...1 = FIN
TCP:  Window                  = 532
TCP:  Checksum                = 78FF, should be E635
TCP:  Urgent pointer          = 532
TCP:
TCP:  Options follow
TCP:  Unknown option 120
TCP:  7 byte(s) of header padding
TCP:  [504 byte(s) of data]
TCP:

ADDR  HEX                                                ASCII
0000  00 E0 14 7B 36 09 00 00  0C F8 17 49 08 00 45 00  ...{6......I..E.
0010  02 28 C2 35 00 00 2E 06  29 0B 11 FE 00 33 81 37  .(.5....)....3.7
0020  0C 28 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  .(x...x...x...x.
0030  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0040  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0050  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0060  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0070  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0080  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0090  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00A0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00B0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00C0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00D0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00E0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
00F0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0100  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0110  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0120  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0130  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0140  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0150  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0160  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0170  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0180  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0190  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01A0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01B0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01C0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01D0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01E0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
01F0  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0200  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0210  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0220  02 14 78 FF 02 14 78 FF  02 14 78 FF 02 14 78 FF  ..x...x...x...x.
0230  02 14 78 FF 02 14                                 ..x...


         lev@    _/_/_/_/  _/_/_/_/  _/_/_/_/  _/      _/_/_/
searchmaster@   _/    _/  _/    _/  _/    _/  _/      _/
               _/    _/  _/_/_/_/  _/_/_/_/  _/      _/_/_/    .com
              _/_/_/_/  _/        _/        _/      _/
             _/    _/  _/        _/        _/_/_/  _/_/_/

Current thread:

Sun libnsl lameness George Clooney (Jul 01)
- Re: Sun libnsl lameness nicholas harteau (Jul 01)
- pop_msg in debian/qpopper: core, but no exploit Herbert Rosmanith (Jul 02)
- Alert: ASP vulnerability with Alternate Data Streams Aleph One (Jul 02)
- ::$DATA ISAPI filter Aleph One (Jul 02)
- ePerl: bad handling of ISINDEX queries Tiago Luz Pinto (Jul 06)
  - Re: ePerl: bad handling of ISINDEX queries Andrew Pimlott (Jul 08)
    - Re: ePerl: bad handling of ISINDEX queries Steve Willer (Jul 08)
    - notes on Port scanning Lloyd Vancil (Jul 08)
    - WWW Authorization Gateway Albert Nubdy (Jul 08)
- Re: Sun libnsl lameness Allanah Myles (Jul 06)
  - Re: Sun libnsl lameness mib () DEAKIN EDU AU (Jul 08)
    - Re: Sun libnsl lameness Scott Stubbs (Jul 09)
    - Sun libnsl patches Mike Sorsen (Jul 09)
  - Re: Sun libnsl lameness Matt Conover (Jul 08)
  - DoS: ANS Interlock Firewall Chris A. Henesy (Jul 09)
  - Administrivia Aleph One (Jul 09)
- <Possible follow-ups>
- Re: Sun libnsl lameness Andy Polyakov (Jul 03)
  - Re: Sun libnsl lameness Matt Conover (Jul 03)

(Thread continues...)