Is it Really an Attack?

Published: 2013-02-03
Last Updated: 2013-02-03 20:27:42 UTC
by Lorna Hutcheson (Version: 1)
1 comment(s)

In today's world, compromised systems as well as attacks and probes against our networks are sadly becoming the norm.  Because of this, when we see network traffic that violates "normal" behavior, our first reaction is that someone is doing reconnaissance, we have been compromised or we are under attack.  We all want to be proactive and stop the activity, but we also don't want to become the "Boy who cried wolf".  Sometimes the traffic can be outside of what is "normal" but be completely legitimate traffic.  Taking a deep breath and remaining calm while doing the analysis is important.  Ask yourself if the traffic could have a legitimate purpose.  Here are a couple of examples of products that generate traffic that appears threatening, but really are the normal behavior of the system.  

F5 Load Balancer:
I first encountered traffic from an F5 back in 2006.  At that time a reader submitted traffic to us that had the following unusual characteristics:

1.  The repeating IP ID which rotated using only 1, 2, or 3
2.  The windows size was a constant 2048
3.  The TTLs which were usually 44/45 or very close to that.
4.  It was always TCP connections to the primary DNS server.  No UDP traffic was captured from those IPs.  
5.  The 24 0x00 data bytes (keep in mind that these are SYN packets)
6.  The time stamps and source ports were also helpful in determining that these were not TCP retries.

The submitter was not sure what was going on but the traffic certainly was not normal.  I won't rehash the diary here, you can read the diary entry "Packet Analysis Challenge: The Solution" if you like.   The traffic was simply the probes of the F5 Global Traffic Manager.  I am not sure if the L5 probes function the same way today or not.  I do know that the Global Traffic Manager now states this:

By default, big3d agents first attempt to probe the local DNS with a DNS_DOT query. If the probe attempt fails, big3d attempts the following tasks, in the following order:
 •DNS_REV query
 •UDP echo
 •TCP port 53 socket connection
 •ping (ICMP echo)


which can be easily mistaken for a probe/attack against your local DNS server.  In the end, the unusual traffic was normal.


McAfee Rogue System Detection Sensors
With McAfee you can install Rogue System Detection Sensors in your network and manage them via the ePO policies.  These sensors scan the networks to do OS fingerprinting.  You can read about this feature at McAfee's community website.  Here is an example of the traffic you will see if left unmodified:
 
Host discovery
 UDP ports
 53 67 69 123 137 161 500 1434
 
Host discovery
 TCP ports
 21 22 23 25 79 80 110 113 139 264 265 443 1025 1433 1723 5000
 
Service discovery
 UDP ports
 53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981
 
Service discovery
 TCP ports
 7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465
512-515 524 563 593 636 799 900-901 1024-1040 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755
1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802
5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 49152-
49157

 

It can be unnerving if you see workstations scanning your network and your not aware of the functionality of the software.  Again, nothing malicious, just normal software behavior.


Due to time and space, these are only a couple of examples of software/appliances whose traffic falls into the not "normal" range.  Being aware of these can help you save a few gray hairs and make better sense of traffic on your network.  I always find these unusual traffic patterns interesting but they can take a lot of time to research.  The information is not always easy to find and takes some time doing reading and web searches.   If you know of any others, please share them.  If we get enough, we can compile them for easy access as a reference.
 

1 comment(s)

Comments

OCSinventory agent can initiate scan using UDP/137 when configured for network discovery.
Agent calls home to server and when servers decides that agent actual IP is "close" to networks that needs discovery it signals the agent and agent starts incremental IP scan on desired network/s (src port 137, dst port 137).
especially spicy on migrating users
hth ... my 4 hours :(

Diary Archives