Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Update: Call for Packets - Unassigned TCP Options

Published: 2011-03-07
Last Updated: 2011-03-14 19:12:41 UTC
by Lorna Hutcheson (Version: 2)
7 comment(s)

We had a user over the weekend send us some interesting traffic primarily destined to port 80.  The TCP option used is in an option kind that appears to be in unassigned range, the sequence numbers are not changing, but the source IPs are.  They also throw in a packet here and there to destination ports other than 80 such as ports 21, 22 and 1.   If anyone is seeing something similar and has logs or preferably packets, please send them to us.  

 

UPDATE:   I want to thank those who have submitted traffic and logs.  There is still no answer for this traffic, but I wanted to share with everyone what we have received so far.   Here is an example of a capture:

114.134.83.141    xxx.xxx.xxx.xxx    TCP    33338 > 80 [SYN] Seq=846930886 Win=61690 Len=0 MSS=1460 WS=4

0000   00 00 ff ff 00 00 00 00 00 00 00 00 00 00 08 00           ................
0010   45 00 00 3c 45 67 40 00 e9 06 a7 30 72 86 53 8d      E..<Eg@....0r.S.
0020   xx xx xx xx 82 3a 00 50 32 7b 23 c6 69 98 3c 64            >K...:.P2{#.i.<d
0030   a0 02 f0 fa 97 d4 00 00 02 04 05 b4 01 01 04 02         ................
0040   b2 08 f0 47 00 00 00 00 01 03 03 04                              ...G........

 

Items of interest across three captures sent to us:

Source IPs:  Various

Initial Sequence Number is identical :  846930886

ACK Flag is NOT set, but the ACK field contains data which is identical in all 3 captures:  69 98 3c 64

Window Scale is the same and set to 4: 

Unassigned TCP option:  b2 08 f0 47 00 00 00 00

 

If you have any ideas or your seeing this traffic similar to this with unassigned TCP options, please let us know.

 

 

7 comment(s)
Diary Archives