Putting names to faces

["Stephen P. Berry" <spb () MESHUGGENEH NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


There are a couple of scan patterns that I've been seeing for quite
some time now, and I was wondering if anyone would be kind enough
to supply a name (i.e., the name of the tool producing the traffic)
to supplant the _ad hoc_ lables I've attached to them.

The interesting characteristics of the first pattern are:

        -Source port is always 2666
        -SYN is set
        -Sequence number and ACK are both set to decimal 111
        -TCP window set to 0

In standard tcpdump(8)-ish output, some sample packets are:

14:53:14.193898 a.b.c.d.2666 > x.y.z.n.53: S 111:111(0) win 0 (ttl 231, id 38403)
                         4500 0028 9603 0000 e706 .... .... ....
                         .... .... 0a6a 0035 0000 006f 0000 006f
                         5002 0000 .... 0000 0000 0000 0000
14:53:14.194589 a.b.c.d.2666 > x.y.z.(n+1).53: S 111:111(0) win 0 (ttl 231, id 57856)
                         4500 0028 e200 0000 e706 .... .... ....
                         .... .... 0a6a 0035 0000 006f 0000 006f
                         5002 0000 .... 0000 0000 0000 0000
14:53:14.194726 a.b.c.d.2666 > x.y.z.(n+2).53: S 111:111(0) win 0 (ttl 231, id 36096)
                         4500 0028 8d00 0000 e706 .... .... ....
                         .... .... 0a6a 0035 0000 006f 0000 006f
                         5002 0000 .... 0000 0000 0000 0000



The other pattern consists of:

        -Source and destination port are the same
        -IP id is decimal 39426
        -SYN and FIN are both set
        -Sequence number and ACK are constant for several packets (directed
         at different destination hosts) but change periodically.  they
         do not change at regular intervals (i.e., constant number of
         packets, at CIDR boundaries, or that sort of thing)
        -TCP window is decimal 1028

Some sample packets of the second pattern:

01:45:24.008007 a.b.c.d.109 > x.y.z.n.109: SF 258008281:258008281(0)
win 1028 (ttl 23, id 39426)
                         4500 0028 9a02 0000 1706 .... .... ....
                         .... .... 006d 006d 0f60 e4d9 5861 38bb
                         5003 0404 .... 0000 0000 0000 0000
01:45:24.028349 a.b.c.d.109 > x.y.z.(n+1).109: SF 258008281:258008281(0)
win 1028 (ttl 23, id 39426)
                         4500 0028 9a02 0000 1706 .... .... ....
                         .... .... 006d 006d 0f60 e4d9 5861 38bb
                         5003 0404 .... 0000 0000 0000 0000
01:45:24.048063 a.b.c.d.109 > x.y.z.(n+2).109: SF 258008281:258008281(0)
win 1028 (ttl 23, id 39426)
                         4500 0028 9a02 0000 1706 .... .... ....
                         .... .... 006d 006d 0f60 e4d9 5861 38bb
                         5003 0404 .... 0000 0000 0000 0000
        
I've seen both of these patterns over the space of several months,
directed at multiple independent and unrelated networks[0].  The
source hosts appear to be unrelated as well, and there are no overt
signs of collaboration between multiple scanning hosts (i.e.,
interleaving of hosts, synchronisation between the end of
one scan and the start of another, or anything like that).

They tend to do a sequential walk through large blocks of addresses,
and seem to only be looking at a single destination port per scan.
The destination ports tend to be topical---related to the current
exploits _du jour_ (e.g, 53 and 109 as above, as well as the
ever-popular 111).


I'm just looking for a label to tack onto the signature.






- -Steve

- -----
0     As far as I know, and excepting that I've seen traffic from all
      of them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5i1idG3kIaxeRZl8RAgPaAJ4yMW3tNsGMr2ce5Y409JqGSk2mPACglMJQ
LAruSX8eYevcAFDn0KG2KV0=
=QQAV
-----END PGP SIGNATURE-----