Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

TCP Munging or ICMP Crossdressing

From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Tue, 22 Feb 2000 23:28:23 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

About twenty-four hours ago I started seeing some anomalous traffic which
doesn't match any signature with which I am currently familiar.

Looking at a representative packet in hex (a la tcpdump(8) with the -x
flag given):

        4500 .... .... 4000 ..06 .... xxxx xxxx
        yyyy yyyy 7803 8018 7803 8018 7803 8018
        7803 8018 7803 8018 7803 8018 7803 8018
        7803 8018 7803

Where xxxx xxxx and yyyy yyyy are the appropriate hex values for the
source and destination IP addresses, respectively, and the `.'s are
the length, ID, TTL and checksum which vary from incident to incident
but which are all appropriate values.

The repeated pattern which starts immediately after the end of the IP
header varies from incident to incident, as well as from packet to
packet in a single incident[0].  The pattern has always been four bytes
long, but the overall packet length varies.

I've observed this traffic on multiple sensors on different segments.
All of them do, however, share a common upstream provider---so it
is possible that the cause is a smafco'd router or some such rather
than nastiness on the apparent source host.  So far, all of this
odd traffic has occured in relative proximity (within a couple seconds
or so) of otherwise uninteresting traffic (mostly innocuous-looking
inbound web traffic).

When I first saw this, I thought I was looking at the result of someone
using a BSDlike ping(8) with a four byte -p pattern.  But of course
the IP header identifies the packets as being TCP, and there is no
(proper) layer four header at all.

Does this look familiar to anyone?  And no, none of the traffic came
from demon.co.uk, gb.net, or any of the related fountains of munged
traffic[1].

- -Steve

- -----
0     Here I'm defining `incident' as being a single stream of traffic
      between a single source/destination host pair with no appreciable
      pauses between packets.  Each `incident' lasts a couple minutes,
      and there are no pauses between packets as long as a full second.
1     If you've ever seen this, you know what I mean.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4s4wEG3kIaxeRZl8RArmiAJ4/LHJIFGNzyILdHaKu4gKzAjLTXwCdFMeI
499EouD5pJqGFOz/kEeVEd4=
=bCVw
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: