Security Incidents mailing list archives

RE: Another odd scan...

From: "Wolf, Glenn" <glenn.wolf () we-inc com>
Date: Fri, 12 Jul 2002 15:13:33 -0700

Check out this posting:

http://groups.google.com/groups?q=%22CWR+ECE+SYN%22&hl=en&lr=&ie=UTF-8&oe=UT
F-8&selm=1015153098.7313.0.nnrp-12.c1ed31d9%40news.demon.co.uk&rnum=3

-----------------------

On Sat, 02 Mar 2002 16:09:52 +0000, Calum wrote:

Hello All,

Just wondering if anyone has seen activity from sinectis.com.ar?
I have seen them in my logs before.
Most recent:

Mar  2 16:04:37 mercury kernel: IN=eth1 OUT=
MAC=00:40:95:43:6f:50:00:d0:ba:1f:0d:54:08:00 SRC=216.244.192.23
DST=my.ip.add.ress LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=32940 DF
PROTO=TCP SPT=65280 DPT=39255 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0

What are the CWR and ECE flags?


CWR and ECE are used in the SYN packet sent by a host with Explicit
Congestion Notification enabled. Some versions of kernel 2.4 had this
enabled by default (and it's still user-configurable) so if the packet is
legit, it's a fair bet they're using said kernel version.

What is he looking for on port 39255


<http://www.portsdb.org> doesn't list anything, so I suspect they were
probing to see if you were protected by a Cisco PIX firewall. Some
versions of PIX silently drop packets with ECE/CWR flags set (as they're
reserved in RFC 793). If you're allowing SYNs to that port, then they'll
normally get a TCP RST (if nothing's listening), SYN-ACK (if something
is) and/or one of a number of ICMP *-unreachable messages. If you had a
PIX firewall there, they'd get nothing back. If they send a two probes,
one with ECE/CWR set, and one not, then that'll give them a strong clue
as to whether you're a fan of the Beast of San Francisco.

Add them to the deny-no-matter-what list, I think.

Might be worth a message to their sysadmins too...


Best Regards,
Alex.

-----------------------

-----Original Message-----
From: Adam Young [mailto:adam () vbfx com]
Sent: Thursday, July 11, 2002 6:57 PM
To: incidents () securityfocus com
Subject: Another odd scan...


--SNIP--
Jul 11 21:52:48 element kernel: (catch-all logging):: IN=eth0 OUT= MAC=*
SRC=80.97.2.93 DST=24.215.x.y LEN=60 TOS=0x00 PREC=0x00 TTL=34 ID=64252
DF PROTO=TCP SPT=33124 DPT=77 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 
--SNIP--

        I got this for about 2 minutes, every 20 seconds or so, I just
thought
it especially weird with "CWR ECE SYN", looking as to what the meaning
of this is.

        Any help is appreciated greatly,

                Adam

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Another odd scan... Adam Young (Jul 12)
- Re: Another odd scan... Jose Nazario (Jul 12)
- <Possible follow-ups>
- RE: Another odd scan... Wolf, Glenn (Jul 12)
- Re: Another odd scan... Muhammad Faisal Rauf Danka (Jul 13)