Security Incidents mailing list archives
Re: TCP Munging or ICMP Crossdressing
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 24 Feb 2000 11:39:24 -0600
This could be the result of someone using hping2 with the "read data from file option" to do some kind of firewall ruleset testing... That is the only widely known tool I know of which could easily create this sugnature. -HD "Stephen P. Berry" wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 About twenty-four hours ago I started seeing some anomalous traffic which doesn't match any signature with which I am currently familiar. Looking at a representative packet in hex (a la tcpdump(8) with the -x flag given): 4500 .... .... 4000 ..06 .... xxxx xxxx yyyy yyyy 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 8018 7803 Where xxxx xxxx and yyyy yyyy are the appropriate hex values for the source and destination IP addresses, respectively, and the `.'s are the length, ID, TTL and checksum which vary from incident to incident but which are all appropriate values. The repeated pattern which starts immediately after the end of the IP header varies from incident to incident, as well as from packet to packet in a single incident[0]. The pattern has always been four bytes long, but the overall packet length varies. I've observed this traffic on multiple sensors on different segments. All of them do, however, share a common upstream provider---so it is possible that the cause is a smafco'd router or some such rather than nastiness on the apparent source host. So far, all of this odd traffic has occured in relative proximity (within a couple seconds or so) of otherwise uninteresting traffic (mostly innocuous-looking inbound web traffic). When I first saw this, I thought I was looking at the result of someone using a BSDlike ping(8) with a four byte -p pattern. But of course the IP header identifies the packets as being TCP, and there is no (proper) layer four header at all. Does this look familiar to anyone? And no, none of the traffic came from demon.co.uk, gb.net, or any of the related fountains of munged traffic[1]. - -Steve
Current thread:
- TCP Munging or ICMP Crossdressing Stephen P. Berry (Feb 22)
- Re: TCP Munging or ICMP Crossdressing H D Moore (Feb 24)