Security Incidents: Oh, Christmas Tree (Was: packets with reserved bits set on)

[Brett Glass <brett () LARIAT ORG>]

At 06:36 AM 9/8/2000, Vitaly Osipov wrote:

> Hi all,
>
> Each day I get some weird packets coming to logs :) sometimes it is really
> difficult task to figure out what's happening... So I was wondering for some
> time what the following thing could be -
>
> Aug 22 16:37:09 194.24.254.24:53 -> 195.22.32.22:1026 UDP
>
> 08/22-16:37:14.530505 0:90:F2:55:F0:0 -> 0:60:8:CE:FC:C1 type:0x800 len:0x4A
> 194.24.254.24:4556 -> 195.22.32.22:113 TCP TTL:59 TOS:0x0 ID:0 DF
> 21S***** Seq: 0x494ED4AF Ack: 0x0 Win: 0x16D0
> TCP Options => MSS: 1460 SackOK TS: 60856195 0 NOP WS: 0
[Snip]

> etc. both source and destinations are nameservers, 194.24.254.24 running
> bind  "8.2.2-P5-NOESW" (at least is says so when asked for version.bind). I
> just wonder why it has some reserved bits set? is it some feature of their
> bind?(probably not) I asked sysadmin of that host - he said it will be
> checked, but no reply since then.
They were probably hacked by a skript kiddie via that (vulnerable) version
of BIND 8 and are now being used to probe the network. "Christmas tree"
packets are generally not used for much else.

--Brett