Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd Packets

Published: 2004-05-07
Last Updated: 2004-05-08 04:17:29 UTC
by Mike Poor (Version: 1)
0 comment(s)
From the front line

A number of sites have been seeing unusual SYN-ACK traffic coming from port 80,
that at first glance appears to be backscatter from a DDoS attack. A closer look
leaves us slightly puzzled. Note: these logs have been sanitized to protect the
guilty and the innocent.


11:57:58.477497 IP (tos 0x0, ttl 112, id 32814, offset 0, flags [DF], length: 40)
10.10.10.103.80 > 192.168.154.177.41359: S [tcp sum ok]
2030205186:2030205186(0) ack 25686 win 65535
4500 0028 802e 4000 7006 1ad7 0a0a 0a67
c0a8 9ab1 0050 a18f 7902 7902 0000 6456
5b12 ffff 3ccd 0000 0000 0000 0000
12:09:05.651825 IP (tos 0x0, ttl 112, id 23183, offset 0, flags [DF], length: 40)
10.10.10.103.80 > 192.168.154.177.27772: SE [tcp sum ok]
1244547630:1244547630(0) ack 36086 win 65535
4500 0028 5a8f 4000 7006 4076 0a0a 0a67
c0a8 9ab1 0050 6c7c 4a2e 4a2e 0000 8cf6
5652 ffff aba8 0000 0000 0000 0000
12:45:12.480408 IP (tos 0x0, ttl 112, id 11525, offset 0, flags [DF], length: 40)
10.10.10.103.80 > 192.168.154.177.19647: SW [tcp sum ok]
1565220171:1565220171(0) ack 35766 win 65535
4500 0028 2d05 4000 7006 6e00 0a0a 0a67
c0a8 9ab1 0050 4cbf 5d4b 5d4b 0000 8bb6
5092 ffff ac2b 0000 0000 0000 0000

Some unusual patterns that a number of us have picked up on from the traffic:

- Different combinations of the TCP reserved / ECN (Explicit Congestion
Notification) flags set. If these were valid ECN SYN-ACKS, they would have
only the SYN, ACK, and ECN-ECHO flags set.

- The TCP Window size is maxed out on all the packets

- Sequence numbers have definite pattern of repeating 2 bytes
(4 hex characters), examples:

Seq: 0x79027902

Seq: 0x4a2e4a2e

Seq: 0x5d4b5d4b


This is unusual, as these sequence numbers are coming from a host that initially
you assume is suffering a DDoS attack. Has anyone seen this traffic? Got packets?

Handler on Duty: Mike Poor <mike .at. intelguardians.com>
Keywords:
0 comment(s)
Diary Archives