Security Incidents mailing list archives
Re: port 17300 probe fingerprint analysis
From: John Sage <jsage () finchhaven com>
Date: Tue, 18 Feb 2003 07:06:36 -0800
Royans: On Mon, Feb 17, 2003 at 08:00:31PM -0800, Royans Tharakan wrote:
We have all been looking for activity on 17300. I have a honeypot running on this port which promptly ACKed back on that port. The probe promptly returned within 10 seconds with a second probe.
I am running ACK_hole on TCP:17300. I've seen little activity lately; most recently 02/07/03. Most probes I see are spaced at about 5 to 40 seconds, SYN, ACK, RST.
Its common to get RSTs back from attacking host, which we in the intrusion community have been dismissing as responses from spoofed address. However I did have a second TCP probe from the same server which throws that idea away.
The only (one!) probe I've seen with both source and destination of 17300 has the form SYN, RST. The probing host returns immediately from source port 3882 with SYN, ACK, ten seconds, ACK, FIN, and then another ACK. All other probes have had a more "normal" source port in the range 1000-5000.
Its normal for most OS to send an RST on a SYN-ACKs which is not initiated by it (or if the SYN is crafted by a tool running on it), so I was tempted to say that RST here was generated by the source host after I sent the SYN-ACK of the first packet. But the fingerprint of the second probe doesn't match the RST of the first probe, leading me to believe that this was either generated by its firewall, or by the tool itself to force our logs to believe that this was a reply from spoofed address.
Here, the first SYN (source port 17300) has the following form:
------------------------------------------------------------------------------
#(622 - 25) [2003-01-25 14:02:48] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=40 ID=53028 flags=0 offset=0 TTL=110 chksum=8798
TCP: port=17300 -> dport: 17300 flags=******S* seq=139324875
ack=729646487 off=5 res=0 win=51098 urp=0 chksum=24228
Payload: none
------------------------------------------------------------------------------
while the second SYN (source port 3882) has the form:
------------------------------------------------------------------------------
#(622 - 27) [2003-01-25 14:02:49] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=60 ID=14703 flags=0 offset=0 TTL=51 chksum=45823
TCP: port=3882 -> dport: 17300 flags=******S* seq=286060836
ack=0 off=10 res=0 win=32120 urp=0 chksum=26176
Options:
#1 - MSS len=4 data=05B4
#2 - SACKOK len=0
#3 - TS len=10 data=0016B3FB00000000
#4 - NOP len=0
#5 - WS len=3 data=00
Payload: none
------------------------------------------------------------------------------
Notice the time delta of one second; no TCP options versus 5; very
different IP ID's; very different TTL's; very different SEQ's; that
the first is ACK'ing "729646487" which is nonsense in a SYN; that
there are very different window advertisements.
There are significant fingerprinting differences between the first probe and second probe. Its easy to figure out that the first probe is actually crafted, but the difference between first and second packet of the first probe can uniquely fingerprint this tool anywhere else on the internet. The TTL differs by 11 hops... and I'm tempted to bet that this could be bug in this attacking tool. BTW, can someone tell me the importance of "Window Scale=0" ?
wscale is a TCP option that "..increases the definition of the TCP window from 16 to 32 bits...Instead of changing the TCP header [itself] to accomodate the larger window, the header still holds a 16 bit value, and an option is defined that applies a scaling operation to the 16-bit value..." WR Stevens, "TCP/IP Illustrated" vol 1, p 347 I'd say this has no great significance.
Here is some more info... and the packet dump itself. 1. TTL changes from 113 to 244 between a Syn and a Rset in the first probe
Yes. Mine: TTL 110 to 242 between SYN and RST..
2. IP ID is very different between Syn and RST of the first probe.
Yes.
3. However IPID is sequential in the second probe
4. The remote site ACKs my SYN-ACK and waits for reply from the victim host.
5. Fingerprint of first probe
Window size of the first packet is 0xC23C
TTL 113,244 (+11 is the hops I counted to that system) = 124,255
IPID is random (or 2 different systems, or crafted)
6. Fingerprints of second probe
window size of the second packet is 0x7D78
Yes. My second SYN from src port 3882 is this: [toot@sparky ~]# 2 hd 7D78 = 32120 decimal
TTL 53 (11 is the hops I counted to that system) = 64
My second SYN from src port 3882 has a TTL of 51..
SACKOK
TS 317697848
WS 0
Grand total overall I've seen: 101 total since 04/06/02.
I had a *real* big burst from multiple hosts 08/05/02; a few in
September, and then nothing until December 25.
Here are my captures since the recent increase in activity, after
12/25/02:
Generated by ACID v0.9.6b21 on Mon February 17, 2003 22:46:13
------------------------------------------------------------------------------
#(575 - 166) [2002-12-25 11:01:32] TCP inbound to 17300 Kuang2
IPv4: 24.28.142.23 -> 12.82.128.80
hlen=5 TOS=0 dlen=48 ID=22259 flags=0 offset=0 TTL=112 chksum=33023
TCP: port=2295 -> dport: 17300 flags=******S* seq=17094016
ack=0 off=7 res=0 win=32768 urp=0 chksum=44345
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(575 - 167) [2002-12-25 11:01:33] TCP inbound to 17300 Kuang2
IPv4: 24.28.142.23 -> 12.82.128.80
hlen=5 TOS=0 dlen=40 ID=32499 flags=0 offset=0 TTL=112 chksum=22791
TCP: port=2295 -> dport: 17300 flags=***A**** seq=17094017
ack=3273459440 off=5 res=0 win=32768 urp=0 chksum=4064
Payload: none
------------------------------------------------------------------------------
#(575 - 168) [2002-12-25 11:01:36] TCP inbound to 17300 Kuang2
IPv4: 24.28.142.23 -> 12.82.128.80
hlen=5 TOS=0 dlen=40 ID=54771 flags=0 offset=0 TTL=112 chksum=519
TCP: port=2295 -> dport: 17300 flags=*****R** seq=17094017
ack=3394151851 off=5 res=0 win=0 urp=0 chksum=59903
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(188 - 36) [2002-12-31 23:49:45] TCP inbound to 17300 Kuang2
IPv4: 24.141.211.244 -> 12.82.129.14
hlen=5 TOS=0 dlen=48 ID=33957 flags=0 offset=0 TTL=111 chksum=3393
TCP: port=2150 -> dport: 17300 flags=******S* seq=4246163840
ack=0 off=7 res=0 win=16384 urp=0 chksum=11947
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(188 - 37) [2002-12-31 23:49:45] TCP inbound to 17300 Kuang2
IPv4: 24.141.211.244 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=34200 flags=0 offset=0 TTL=111 chksum=3158
TCP: port=2150 -> dport: 17300 flags=***A**** seq=4246163841
ack=2329939848 off=5 res=0 win=17520 urp=0 chksum=48262
Payload: none
------------------------------------------------------------------------------
#(188 - 38) [2002-12-31 23:49:48] TCP inbound to 17300 Kuang2
IPv4: 24.141.211.244 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=34490 flags=0 offset=0 TTL=111 chksum=2868
TCP: port=2150 -> dport: 17300 flags=*****R** seq=4246163841
ack=0 off=5 res=0 win=0 urp=56901 chksum=48421
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(188 - 42) [2003-01-01 00:00:42] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=48 ID=61975 flags=0 offset=0 TTL=49 chksum=8537
TCP: port=1514 -> dport: 17300 flags=******S* seq=5303038
ack=0 off=7 res=0 win=59680 urp=0 chksum=11994
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(188 - 43) [2003-01-01 00:00:43] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=62231 flags=0 offset=0 TTL=49 chksum=8289
TCP: port=1514 -> dport: 17300 flags=***A**** seq=5303039
ack=3030841619 off=5 res=0 win=59680 urp=0 chksum=44499
Payload: none
------------------------------------------------------------------------------
#(188 - 45) [2003-01-01 00:01:26] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=5656 flags=0 offset=0 TTL=49 chksum=64864
TCP: port=1514 -> dport: 17300 flags=*****R** seq=5303039
ack=3133846692 off=5 res=0 win=0 urp=0 chksum=54603
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(188 - 46) [2003-01-01 00:03:03] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=48 ID=23064 flags=0 offset=0 TTL=49 chksum=47448
TCP: port=1518 -> dport: 17300 flags=******S* seq=5443855
ack=0 off=7 res=0 win=59680 urp=0 chksum=2243
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(188 - 47) [2003-01-01 00:03:03] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=23576 flags=0 offset=0 TTL=49 chksum=46944
TCP: port=1518 -> dport: 17300 flags=***A**** seq=5443856
ack=3179438836 off=5 res=0 win=59680 urp=0 chksum=5376
Payload: none
------------------------------------------------------------------------------
#(188 - 48) [2003-01-01 00:04:00] TCP inbound to 17300 Kuang2
IPv4: 24.210.144.37 -> 12.82.129.14
hlen=5 TOS=0 dlen=40 ID=38168 flags=0 offset=0 TTL=49 chksum=32352
TCP: port=1518 -> dport: 17300 flags=*****R** seq=5443856
ack=1535738692 off=5 res=0 win=0 urp=0 chksum=16342
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(562 - 435) [2003-01-04 19:22:49] TCP inbound to 17300 Kuang2
IPv4: 24.82.93.34 -> 12.82.128.136
hlen=5 TOS=0 dlen=48 ID=18698 flags=0 offset=0 TTL=113 chksum=48751
TCP: port=2448 -> dport: 17300 flags=******S* seq=3983326971
ack=0 off=7 res=0 win=16384 urp=771 chksum=17473
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(562 - 436) [2003-01-04 19:22:50] TCP inbound to 17300 Kuang2
IPv4: 24.82.93.34 -> 12.82.128.136
hlen=5 TOS=0 dlen=40 ID=18821 flags=0 offset=0 TTL=113 chksum=48636
TCP: port=2448 -> dport: 17300 flags=***A**** seq=3983326972
ack=2455523879 off=5 res=0 win=17520 urp=771 chksum=34817
Payload: none
------------------------------------------------------------------------------
#(562 - 437) [2003-01-04 19:22:53] TCP inbound to 17300 Kuang2
IPv4: 24.82.93.34 -> 12.82.128.136
hlen=5 TOS=0 dlen=40 ID=19192 flags=0 offset=0 TTL=113 chksum=48265
TCP: port=2448 -> dport: 17300 flags=*****R** seq=3983326972
ack=0 off=5 res=0 win=0 urp=0 chksum=46084
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(562 - 441) [2003-01-04 19:30:41] TCP inbound to 17300 Kuang2
IPv4: 62.137.118.162 -> 12.82.128.136
hlen=5 TOS=0 dlen=48 ID=37856 flags=0 offset=0 TTL=111 chksum=13794
TCP: port=3301 -> dport: 17300 flags=******S* seq=813358970
ack=0 off=7 res=0 win=8760 urp=0 chksum=48755
Options:
#1 - MSS len=4 data=05B4
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(562 - 442) [2003-01-04 19:30:42] TCP inbound to 17300 Kuang2
IPv4: 62.137.118.162 -> 12.82.128.136
hlen=5 TOS=0 dlen=40 ID=37857 flags=0 offset=0 TTL=111 chksum=13801
TCP: port=3301 -> dport: 17300 flags=***A**** seq=813358971
ack=2964701948 off=5 res=0 win=8760 urp=0 chksum=30581
Payload: none
------------------------------------------------------------------------------
#(562 - 443) [2003-01-04 19:31:03] TCP inbound to 17300 Kuang2
IPv4: 62.137.118.162 -> 12.82.128.136
hlen=5 TOS=0 dlen=40 ID=37884 flags=0 offset=0 TTL=111 chksum=13774
TCP: port=3301 -> dport: 17300 flags=*****R** seq=813358971
ack=3102038754 off=5 res=0 win=0 urp=0 chksum=63907
Payload: none
------------------------------------------------------------------------------
Here's the only probe I've seen with a src port 17300:
------------------------------------------------------------------------------
#(622 - 25) [2003-01-25 14:02:48] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=40 ID=53028 flags=0 offset=0 TTL=110 chksum=8798
TCP: port=17300 -> dport: 17300 flags=******S* seq=139324875
ack=729646487 off=5 res=0 win=51098 urp=0 chksum=24228
Payload: none
------------------------------------------------------------------------------
#(622 - 26) [2003-01-25 14:02:49] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=40 ID=14696 flags=0 offset=0 TTL=242 chksum=13338
TCP: port=17300 -> dport: 17300 flags=*****R** seq=139324876
ack=0 off=5 res=0 win=0 urp=0 chksum=55120
Payload: none
------------------------------------------------------------------------------
#(622 - 27) [2003-01-25 14:02:49] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=60 ID=14703 flags=0 offset=0 TTL=51 chksum=45823
TCP: port=3882 -> dport: 17300 flags=******S* seq=286060836
ack=0 off=10 res=0 win=32120 urp=0 chksum=26176
Options:
#1 - MSS len=4 data=05B4
#2 - SACKOK len=0
#3 - TS len=10 data=0016B3FB00000000
#4 - NOP len=0
#5 - WS len=3 data=00
Payload: none
------------------------------------------------------------------------------
#(622 - 28) [2003-01-25 14:02:49] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=52 ID=14711 flags=0 offset=0 TTL=51 chksum=45823
TCP: port=3882 -> dport: 17300 flags=***A**** seq=286060837
ack=3967778627 off=8 res=0 win=32120 urp=0 chksum=61445
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=10 data=0016B4245878E08A
Payload: none
------------------------------------------------------------------------------
#(622 - 29) [2003-01-25 14:02:59] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=52 ID=15135 flags=0 offset=0 TTL=51 chksum=45399
TCP: port=3882 -> dport: 17300 flags=***A***F seq=286060837
ack=3967778627 off=8 res=0 win=32120 urp=0 chksum=60434
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=10 data=0016B8165878E08A
Payload: none
------------------------------------------------------------------------------
#(622 - 30) [2003-01-25 14:02:59] TCP inbound to 17300 Kuang2
IPv4: 216.40.243.24 -> 12.82.131.186
hlen=5 TOS=0 dlen=52 ID=15150 flags=0 offset=0 TTL=51 chksum=45384
TCP: port=3882 -> dport: 17300 flags=***A**** seq=286060838
ack=3967778628 off=8 res=0 win=32120 urp=0 chksum=59360
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=10 data=0016B82F5878E4A2
Payload: none
------------------------------------------------------------------------------
------------------------------------------------------------------------------
#(641 - 140) [2003-02-07 21:42:48] TCP inbound to 17300 Kuang2
IPv4: 218.157.164.94 -> 12.82.129.203
hlen=5 TOS=0 dlen=48 ID=33864 flags=0 offset=0 TTL=112 chksum=31078
TCP: port=1657 -> dport: 17300 flags=******S* seq=879043774
ack=0 off=7 res=0 win=16384 urp=0 chksum=37619
Options:
#1 - MSS len=4 data=0596
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(641 - 141) [2003-02-07 21:42:49] TCP inbound to 17300 Kuang2
IPv4: 218.157.164.94 -> 12.82.129.203
hlen=5 TOS=0 dlen=48 ID=33895 flags=0 offset=0 TTL=112 chksum=31047
TCP: port=1657 -> dport: 17300 flags=******S* seq=879043774
ack=0 off=7 res=0 win=16384 urp=0 chksum=37619
Options:
#1 - MSS len=4 data=0596
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(641 - 142) [2003-02-07 21:42:52] TCP inbound to 17300 Kuang2
IPv4: 218.157.164.94 -> 12.82.129.203
hlen=5 TOS=0 dlen=48 ID=33928 flags=0 offset=0 TTL=112 chksum=31014
TCP: port=1657 -> dport: 17300 flags=******S* seq=879043774
ack=0 off=7 res=0 win=16384 urp=0 chksum=37619
Options:
#1 - MSS len=4 data=0596
#2 - NOP len=0
#3 - NOP len=0
#4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
-----Original Message-----
---------------
01:58:53.790082 204.42.204.151.17300 > 24.219.XX.XX.17300: S [tcp sum
ok] 490674844:490674844(0) win 49724 (ttl 113, id 21549, len 40)
4500 0028 542d 0000 7106 39ae cc2a cc97
18db XXXX 4394 4394 1d3f 1a9c 0da5 8c9f
5002 c23c d868 0000 0000 0000 0000
01:58:53.798301 24.219.XX.XX.17300 > 204.42.204.151.17300: S [tcp sum
ok] 0:0(0) ack 490674845 win 65535 (DF) [tos 0x10] (ttl 64, id 0, len
40)
4510 0028 0000 4000 4006 7ecb 18db XXXX
cc2a cc97 4394 4394 0000 0000 1d3f 1a9d
5012 ffff 34d9 0000
01:58:53.908607 204.42.204.151.17300 > 24.219.XX.XX.17300: R [tcp sum
ok] 490674845:490674845(0) win 0 (ttl 244, id 48833, len 40)
4500 0028 bec1 0000 f406 4c19 cc2a cc97
18db XXXX 4394 4394 1d3f 1a9d 0000 0000
5004 0000 34e7 0000 0000 0000 0000
01:59:04.012423 204.42.204.151.2195 > 24.219.XX.XX.17300: S [tcp sum
ok] 31094744:31094744(0) win 32120 <mss 1460,sackOK,timestamp
317697848 0,nop,wscale 0> (DF) (ttl 53, id 49933, len 60)
4500 003c c30d 4000 3506 c6b9 cc2a cc97
18db XXXX 0893 4394 01da 77d8 0000 0000
a002 7d78 8698 0000 0204 05b4 0402 080a
12ef af38 0000 0000 0103 0300
01:59:04.019866 24.219.XX.XX.17300 > 204.42.204.151.2195: S [tcp sum
ok] 0:0(0) ack 31094745 win 65535 (DF) [tos 0x10] (ttl 64, id 0, len
40)
4510 0028 0000 4000 4006 7ecb 18db XXXX
cc2a cc97 4394 0893 0000 0000 01da 77d9
5012 ffff 2e03 0000
01:59:04.145460 204.42.204.151.2195 > 24.219.XX.XX.17300: . [tcp sum
ok] 31094745:31094745(0) ack 1 win 32120 (DF) (ttl 53, id 49945, len
40)
4500 0028 c319 4000 3506 c6c1 cc2a cc97
18db XXXX 0893 4394 01da 77d9 0000 0001
5010 7d78 b08b 0000 0000 0000 0000
01:59:04.145596 24.219.XX.XX.17300 > 204.42.204.151.2195: R [tcp sum
ok] 1:1(0) win 0 (DF) (ttl 64, id 0, len 40)
4500 0028 0000 4000 4006 7edb 18db XXXX
cc2a cc97 4394 0893 0000 0001 0000 0000
5004 0000 a7c3 0000
- John
--
"You are in a little maze of twisty passages, all different."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- port 17300 probe fingerprint analysis Royans Tharakan (Feb 18)
- Re: port 17300 probe fingerprint analysis John Sage (Feb 18)
- <Possible follow-ups>
- Re: port 17300 probe fingerprint analysis william . miller (Feb 19)