Security Incidents mailing list archives

Re: New DNS connection with SYN ACK

From: RainbowHat <junk () blackhole-1 iana org>
Date: Wed, 16 Jan 2002 04:02:02 +0900

Hi Mike and everyone,

First, I bet it's a "global load balancers" and agreed what
Dan Hawrylkiw was saying on another sub-thread.

Cloppert, Michael said:

Could it be that you've been been decoy addresses in a portscan?

For instance, hacker (H) wants to attack A.  Hacker finds B and C that are
legit, so hacker sends a portscan from H, B, and C to A.  The effect of this
is that the analyst at A doesn't know which is the real portscanner (or in
this case scanner for port 53).  What B and C see are the responses of the
initial SYN sent to A, since A will be responding to both H, B, and C
thinking that they're legit TCP initiation requests.


But A didn't send SYN packets to H, B and C. A received SYN-ACK
packets isn't legit. First poster Jerry Perser found his firewall 
dropped this strange SYN-ACK packets.

HTH.  Anyone else have any ideas?


Yes, I have ideas. I think it depend on how many skills have 
between analyst vs. prober.

[Case1 analyst > prober]
Passive:
Analyst can check passive fingerprint using logs. If TTL are 
same, there are decoy. If WINDOW size, DF flag and other TCP/
IP parameters are same, it's strange.
Active:
They ping (or traceroute) to H, B, C. They compare the hops
(TTL) with logs. B, C are different and H is nearly equal. They 
know H is real prober and B, C is decoy. WINDOW size, DF flag 
and other TCP/IP parameters are as well. They can portscan to 
H, B, C. So an analyst become a prober. Analyst at B, C will 
find scan and re-scan. There are nesting (recursive)...

[Case2 analyst < prober]
Prober know OS version type of B, C. This is difficult they 
know how many hops B to A and C to A usually. They need to know 
Internet topology map. They have craft to make mimic packets 
like B, C.

-- 
Greetings and sorry poor English,
RainbowHat. I support FULL DISCLOSURE.
I use the terms "prober", "attacker" and "intruder". Because 
a hacker said I'm just developing Linux|*BSD 20 hours per day. 
A hacker in the Hollywood movie said I'm just acting the 
scenario! A cracker said I'm researching de-cryptography. 
A script kiddies said i h4v3 n07 5ki11. i w4n4633 4 31337.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: New DNS connection with SYN ACK, (continued)
- - - Re: New DNS connection with SYN ACK Patrick Benson (Jan 14)
- RE: New DNS connection with SYN ACK Dan Hawrylkiw (Jan 14)
  - RE: New DNS connection with SYN ACK Jason Dixon (Jan 14)
    - Re: New DNS connection with SYN ACK John Hall (Jan 15)
  - Unusual DNS requests (not related to previous DNS thread) measl (Jan 15)
    - Re: Unusual DNS requests (not related to previous DNS thread) Ryan Russell (Jan 15)
    - Re: Unusual DNS requests (not related to previous DNS thread) measl (Jan 17)
    - Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 18)
    - Re: Unusual DNS requests (not related to previous DNS thread) Greg A. Woods (Jan 15)
- RE: New DNS connection with SYN ACK Cloppert, Michael (Jan 14)
  - Re: New DNS connection with SYN ACK RainbowHat (Jan 15)
- RE: New DNS connection with SYN ACK Keith T. Morgan (Jan 14)