Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

One observed pattern of Win 55808 packets

From: "Golden Faron P Contr HQ SSG/SWSN" <Faron.Golden () Gunter AF mil>
Date: Wed, 18 Jun 2003 17:05:28 -0500
Some sample data of one characteristic behavior of the odd SYN packets
with Window Size 55808.  Notice the varying TTL values and the single
variance of the Packet ID while the Sequence number remains constant
along with the source/destination pairs.  Comments welcome, remembering
that this is just one of many characteristic behaviors observed

12:06:25.925509 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1414,nop,wscale 2,nop,nop,sackOK>
(ttl 109, id 19843, len 52)
12:07:58.047912 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 110, id 19843, len 52)
12:11:00.234395 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 116, id 19843, len 52)
12:40:38.889195 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 21122, len 52)
12:40:58.111835 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 115, id 19843, len 52)
12:43:02.731505 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 19843, len 52)
12:46:01.337882 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 19843, len 52)
12:57:50.059664 152.83.15.171.16172 > specific.36072: S [tcp sum ok]
232231517:232231517(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 113, id 19843, len 52)



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: