Security Incidents mailing list archives
Putting names to faces
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Fri, 4 Aug 2000 16:58:47 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There are a couple of scan patterns that I've been seeing for quite some time now, and I was wondering if anyone would be kind enough to supply a name (i.e., the name of the tool producing the traffic) to supplant the _ad hoc_ lables I've attached to them. The interesting characteristics of the first pattern are: -Source port is always 2666 -SYN is set -Sequence number and ACK are both set to decimal 111 -TCP window set to 0 In standard tcpdump(8)-ish output, some sample packets are: 14:53:14.193898 a.b.c.d.2666 > x.y.z.n.53: S 111:111(0) win 0 (ttl 231, id 38403) 4500 0028 9603 0000 e706 .... .... .... .... .... 0a6a 0035 0000 006f 0000 006f 5002 0000 .... 0000 0000 0000 0000 14:53:14.194589 a.b.c.d.2666 > x.y.z.(n+1).53: S 111:111(0) win 0 (ttl 231, id 57856) 4500 0028 e200 0000 e706 .... .... .... .... .... 0a6a 0035 0000 006f 0000 006f 5002 0000 .... 0000 0000 0000 0000 14:53:14.194726 a.b.c.d.2666 > x.y.z.(n+2).53: S 111:111(0) win 0 (ttl 231, id 36096) 4500 0028 8d00 0000 e706 .... .... .... .... .... 0a6a 0035 0000 006f 0000 006f 5002 0000 .... 0000 0000 0000 0000 The other pattern consists of: -Source and destination port are the same -IP id is decimal 39426 -SYN and FIN are both set -Sequence number and ACK are constant for several packets (directed at different destination hosts) but change periodically. they do not change at regular intervals (i.e., constant number of packets, at CIDR boundaries, or that sort of thing) -TCP window is decimal 1028 Some sample packets of the second pattern: 01:45:24.008007 a.b.c.d.109 > x.y.z.n.109: SF 258008281:258008281(0) win 1028 (ttl 23, id 39426) 4500 0028 9a02 0000 1706 .... .... .... .... .... 006d 006d 0f60 e4d9 5861 38bb 5003 0404 .... 0000 0000 0000 0000 01:45:24.028349 a.b.c.d.109 > x.y.z.(n+1).109: SF 258008281:258008281(0) win 1028 (ttl 23, id 39426) 4500 0028 9a02 0000 1706 .... .... .... .... .... 006d 006d 0f60 e4d9 5861 38bb 5003 0404 .... 0000 0000 0000 0000 01:45:24.048063 a.b.c.d.109 > x.y.z.(n+2).109: SF 258008281:258008281(0) win 1028 (ttl 23, id 39426) 4500 0028 9a02 0000 1706 .... .... .... .... .... 006d 006d 0f60 e4d9 5861 38bb 5003 0404 .... 0000 0000 0000 0000 I've seen both of these patterns over the space of several months, directed at multiple independent and unrelated networks[0]. The source hosts appear to be unrelated as well, and there are no overt signs of collaboration between multiple scanning hosts (i.e., interleaving of hosts, synchronisation between the end of one scan and the start of another, or anything like that). They tend to do a sequential walk through large blocks of addresses, and seem to only be looking at a single destination port per scan. The destination ports tend to be topical---related to the current exploits _du jour_ (e.g, 53 and 109 as above, as well as the ever-popular 111). I'm just looking for a label to tack onto the signature. - -Steve - ----- 0 As far as I know, and excepting that I've seen traffic from all of them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE5i1idG3kIaxeRZl8RAgPaAJ4yMW3tNsGMr2ce5Y409JqGSk2mPACglMJQ LAruSX8eYevcAFDn0KG2KV0= =QQAV -----END PGP SIGNATURE-----
Current thread:
- Putting names to faces Stephen P. Berry (Aug 07)