Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-01-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SYN-ACK Packets With Data

Published: 2016-01-27
Last Updated: 2016-01-27 19:06:07 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

We haven't had an event like this in a while... "Odd Packets"! I was going through some honeypot packet captures with tcpflow, when I got this error message:

$ tcpflow -r ../allpackets
Wifipcap()
tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=970)

It has been a while since I got SYN packets with data! So I had to look closer:

$ tcpdump -r ../allpackets -nX 'tcp[13]=2 && ip[2:2]-
((ip[0]&0x0f)*4)-(tcp[12]>>4)*4>0'
reading from file ../allpackets, link-type EN10MB (Ethernet)

Nothing! Is tcpflow wrong? Well... I may be a bit too picky with tcp[13]=2. Lets make Judy proud and use a bitmask:

tcpdump -r /tmp/allpackets -xn 'tcp[13]&2=2 && ip[2:2]-
((ip[0]&0x0f)*4)-(tcp[12]>>4)*4>0'
reading from file /tmp/anon2, link-type EN10MB (Ethernet)
08:43:59.138235 IP 192.0.2.1.9090 > 192.0.2.2.27450: Flags [S.],
seq 159625496:159626466, ack 770903892, win 12960, length 970
    0x0000:  4508 03f2 530f 4000 2e06 71eb c000 0201  
    0x0010:  c000 0202 2382 6b3a 0983 b118 2df3 0f54  
    0x0020:  5012 32a0 6ec5 0000 0000 0000 0000 0000  
    0x0030:  0000 0000 0000 0000 0000 0000 0000 0000  

Here we got it. It was actually a SYN-ACK, not a SYN that had the payload. The payload was all 0x00 (I truncated the output).

There was no SYN going to that IP address, so this was an unsolicited response ("backscatter"). Has anybody seen traffic like this? So far, this was the only packet I have seen. The original source IP was 112.74.152.143. DoS agains the analyst? Or some kind of new TCP based reflective DoS off a real broken service?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)

Couple updates and reminders

Published: 2016-01-27
Last Updated: 2016-01-27 17:07:07 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

We still got two surveys running, and will probably close them out soon:

Our year end, "how to improve" survey: https://dshield.typeform.com/to/W5p1Cu

If you are interested in submitting logs to us but are not doing so right now survey: https://dshield.typeform.com/to/t5g9K8

Also, we will start using a new twitter account, @netsecjobs, to post new job ads submitted to our jobs section. (submitting jobs is free, but the job has to prefer candidates with a GIAC certification)

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
0 comment(s)
ISC Stormcast For Wednesday, January 27th 2016 http://isc.sans.edu/podcastdetail.html?id=4841
Diary Archives