Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-10-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Fragmentation; What is Normal Part II

Published: 2004-10-30
Last Updated: 2004-10-31 01:26:41 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
More Fragmentation

We have more reports of UDP fragmentation that appears to be very much related. David Tulo has provided us with some good observations from his first captures that is he seeing:


1. The packet length is 64 bytes.

2. The IPID appears random.

3. The Fragment Offset is always 64.

4. TTL is always 52.

5. The IP Header Checksum is valid.

6. The source port is always 4591 (11EF).

7. The destination port is always 53.

8. The length is always 25

9. The DNS ID is always 29175(71F7).

10. The packet has bits set for:

A. DNS Query

B. Recursion Desired

C. 1 Question

11. However... no DNS question is ever asked.


We received another capture from Ian Marks showing the same fragmentation pattern. Here are a couple of more observations from the traffic. The more fragments bit is not set and the first fragment appears not to have been sent as neither captures contained it. The data portion between the two were identical except bytes 7 and 8 of the data were changing in both of them but very similar between the two captures.

We are still very much interested in seeing more captures of similar traffic. Also, if you notice any other activity at the time that may pertain to this, please let us know.

What is Normal Part II

We would like to thank the readers for all the great input! We received many tips on how they identify a baseline for their systems and for finding what should not be there. Here are some of the comments that we received:

John Franolich:

To know what processes are running on a machine, I create a baseline of the ports / processes running when the box first gets built. For example, I fport it out to a text file and keep the file offline. Any program will do fine besides fport, choose your flavor. Then I can compare it later. Of course it is not going to prevent a exe from being wrapped, or not showing up in the tasks list at all, but it is a good start and allow a person to get a gut feeling about a box. Typically on a box that has been taken by scripts I'll see extra spool processes running etc.

Frank Adams

On my windows PCs, monitoring whats normal, I tend to use a program that has a process monitor combined with a port egress monitor called Port Explorer, by Diamond Computer Systems...You get a good sense of what's normal traffic and what isnt very quickly with it on a system since you see exactly which service or program is sending packets across which ports to what address. The only downside is that it really helps to know what should be running, what address(es) the program or service sends packets to, and what shouldn't be running.

Brandon Enright

What I do now is enter comment into Process Explorer for all known services. I built one XP machine and one 2000 machine fresh and commented just about every executable from a base install to fully patched. I turned on all the services and commented all those processes. Then I installed as much ?spyware? as possible and commented all those process. Now when I sit down at a machine and see new processes and programs each one that isn?t glaringly obvious gets a quick google search. New drivers and driver helpers and other programs get commented as good while new malware gets commented simply as malware or as it?s viral name. The most common comments are something like ?VIRUS (Gaobot)? or ?Spyware? or ?Anti-Virus (Norton)? or ?Good (Dell WiFi Driver). Since Process Explorer stores the absolute path, not just the executable name these comments are generally very reliable...It now has over 2200 documented Processes.
Happy Halloween Everyone!!


Lorna Hutcheson

Handler on Duty

http://www.iss-md.com
Keywords:
0 comment(s)
Diary Archives