Update: Call for Packets - Unassigned TCP Options
We had a user over the weekend send us some interesting traffic primarily destined to port 80. The TCP option used is in an option kind that appears to be in unassigned range, the sequence numbers are not changing, but the source IPs are. They also throw in a packet here and there to destination ports other than 80 such as ports 21, 22 and 1. If anyone is seeing something similar and has logs or preferably packets, please send them to us.
UPDATE: I want to thank those who have submitted traffic and logs. There is still no answer for this traffic, but I wanted to share with everyone what we have received so far. Here is an example of a capture:
114.134.83.141 xxx.xxx.xxx.xxx TCP 33338 > 80 [SYN] Seq=846930886 Win=61690 Len=0 MSS=1460 WS=4
0000 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 08 00 ................
0010 45 00 00 3c 45 67 40 00 e9 06 a7 30 72 86 53 8d E..<Eg@....0r.S.
0020 xx xx xx xx 82 3a 00 50 32 7b 23 c6 69 98 3c 64 >K...:.P2{#.i.<d
0030 a0 02 f0 fa 97 d4 00 00 02 04 05 b4 01 01 04 02 ................
0040 b2 08 f0 47 00 00 00 00 01 03 03 04 ...G........
Items of interest across three captures sent to us:
Source IPs: Various
Initial Sequence Number is identical : 846930886
ACK Flag is NOT set, but the ACK field contains data which is identical in all 3 captures: 69 98 3c 64
Window Scale is the same and set to 4:
Unassigned TCP option: b2 08 f0 47 00 00 00 00
If you have any ideas or your seeing this traffic similar to this with unassigned TCP options, please let us know.
Comments
PhilHagen
Mar 7th 2011
1 decade ago
PhilHagen
Mar 7th 2011
1 decade ago
It's been way too long since I had to create a filter using offsets and if someone else has it, it would save me time and headaches.
Jason
Mar 7th 2011
1 decade ago
tcpdump -w /storage/dump -s0 -nn -Z pcap 'not src host (yourhostip) and not (port with known traffic) and tcp[tcpflags]&(tcp-syn) !=0 and not tcp[tcpflags]& (tcp-ack) !=0', optionally piped by a `grep opt' should work out of the box.[0]
Kind regards,
srm
[0] man 1 tcpdump
srm
Mar 9th 2011
1 decade ago
http://www.enye-sec.org/en/papers/playing.with.sockets.%28port.scanning%29.txt
The documentation includes examples where the sequence number above appears on every packet. The reason for this is that the programmer forgot to seed the random number generator, resulting in the same "random" number being generated every time the program is launched. Also the line of code that sets the tcp offset does not make sense to me - it looks like a kludge that may work most of the time, or may cause garbage from adjacent memory to be appended to the packet. Also it does not look like the code initializes the ACK number, which could result in garbage data going into that field.
AlexB
Mar 15th 2011
1 decade ago
Lorna
Mar 15th 2011
1 decade ago
http://www.koders.com/c/fidB8A4A098EE8F34F898C75AEC374E771CE56767B2.aspx?s=printf#L102
ManOnFire
Mar 18th 2011
1 decade ago