Security Incidents mailing list archives
Re: TCP Munging or ICMP Crossdressing
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 24 Feb 2000 11:39:24 -0600
This could be the result of someone using hping2 with the "read data from file option" to do some kind of firewall ruleset testing... That is the only widely known tool I know of which could easily create this sugnature. -HD "Stephen P. Berry" wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
About twenty-four hours ago I started seeing some anomalous traffic which
doesn't match any signature with which I am currently familiar.
Looking at a representative packet in hex (a la tcpdump(8) with the -x
flag given):
4500 .... .... 4000 ..06 .... xxxx xxxx
yyyy yyyy 7803 8018 7803 8018 7803 8018
7803 8018 7803 8018 7803 8018 7803 8018
7803 8018 7803
Where xxxx xxxx and yyyy yyyy are the appropriate hex values for the
source and destination IP addresses, respectively, and the `.'s are
the length, ID, TTL and checksum which vary from incident to incident
but which are all appropriate values.
The repeated pattern which starts immediately after the end of the IP
header varies from incident to incident, as well as from packet to
packet in a single incident[0]. The pattern has always been four bytes
long, but the overall packet length varies.
I've observed this traffic on multiple sensors on different segments.
All of them do, however, share a common upstream provider---so it
is possible that the cause is a smafco'd router or some such rather
than nastiness on the apparent source host. So far, all of this
odd traffic has occured in relative proximity (within a couple seconds
or so) of otherwise uninteresting traffic (mostly innocuous-looking
inbound web traffic).
When I first saw this, I thought I was looking at the result of someone
using a BSDlike ping(8) with a four byte -p pattern. But of course
the IP header identifies the packets as being TCP, and there is no
(proper) layer four header at all.
Does this look familiar to anyone? And no, none of the traffic came
from demon.co.uk, gb.net, or any of the related fountains of munged
traffic[1].
- -Steve
Current thread:
- TCP Munging or ICMP Crossdressing Stephen P. Berry (Feb 22)
- Re: TCP Munging or ICMP Crossdressing H D Moore (Feb 24)
